
Workaround for Windows universal forwarder enabling inputs unexpectedly on installation or upgrade
Important:A new build of the Splunk universal forwarder for Windows which fixes the issue described in this topic is available on Splunk's universal forwarder download page.The fixed universal forwarder has build number 182611 and was made available on Tuesday, October 8, 2013. |
Introduction
This page discusses how to work around an issue where installing or upgrading the Splunk 6.0 universal forwarder on Windows systems enables the Registry monitor and file system change (FSchange) inputs unexpectedly under certain conditions.
Symptoms
When you install or upgrade the Splunk version 6.0 universal forwarder under certain conditions as detailed below, the universal forwarder enables monitoring of the Registry and changes to the file system.
Soon after installing the universal forwarder, you might see license violations on your Splunk indexers due to the significant increase in indexing volume that the enabled inputs generate.
Cause
This problem has multiple causes:
- The Splunk Technology Add-on for Windows (which is included in the Splunk universal forwarder installation package) has a configuration file,
regmon-filters.conf
, which enables Registry monitoring by default. - The TA also has an
inputs.conf
which enables the fschange input by default. - Migration logic introduced in version 5.0 of Splunk now moves configuration information from files like
regmon-filters.conf
toinputs.conf
. This causes specific problems in this scenario when you upgrade the universal forwarder.
This problem only appears on Windows systems.
Workaround
To work around this issue, follow the instructions in the table below based on the scenario that best applies to your situation:
Scenario | Impact | Workaround |
---|---|---|
|
No impact. | No workaround needed. |
|
The forwarder installs the Splunk Technology Add-on for Windows. The TA enables the Registry Monitor and FSchange inputs by default. This results in increased indexing volume and potential license violations. | After installing the forwarder, edit regmon-filters.conf and inputs.conf in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory to explicitly disable the inputs. Then, restart the universal forwarder to ensure the changes take effect. Confirm that the forwarder is no longer collecting Registry monitoring and FSchange data.
|
|
The TA enables the Registry Monitor and FSchange inputs by default. This results in increased indexing volume and potential license violations. | After installing the Splunk Technology Add-on for Windows, edit regmon-filters.conf and inputs.conf in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory to explicitly disable the inputs. Then, restart the universal forwarder to ensure the changes take effect. Confirm that the forwarder is no longer collecting Registry monitoring and FSchange data.
|
|
If you have not explicitly disabled existing Windows inputs, any inputs that get migrated from their Version 4- or 5-style configuration files will be enabled by default in Version 6 due to how migration to modular inputs works. This leads to collection of unexpected information by the upgraded forwarder. | After upgrading the forwarder, review inputs.conf for migrated Windows inputs, and disable inputs which you do not want enabled specifically by adding disabled=1 to each input's stanza.
|
|
If you have not explicitly disabled existing Windows inputs, any inputs that get migrated from their Version 4- or 5-style configuration files will be enabled by default in Version 6 due to how migration to modular inputs works. This leads to collection of unexpected information by the upgraded forwarder. | After upgrading the forwarder, review inputs.conf for migrated Windows inputs, and disable inputs which you do not want enabled specifically by adding disabled=1 to each input's stanza.
|
Important: You must restart Splunk on the computer after performing any changes for those changes to take effect.
PREVIOUS Workaround for network accessibility issues on Splunk Windows systems under certain conditions |
NEXT Transparent huge memory pages and Splunk performance |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1
Feedback submitted, thanks!