When running the btool on the inputs.conf files on a Windows universal forwarder (v6.3.1), the results appear to be incorrect and this is making it difficult to find the root of my original issue. The purpose of the diagnostics is to disable unused inputs such as MonitorNoHandle, RegMon etc.
The issue appears to be reproducible if you install a completely new version of the UFW and then run btool --debug. Two examples of the problem are
1. The majority of the standard windows stanza's are listed as coming from the splunk_httpinput app (which is installed by default in the UFW.
2. The inputs file from the splunk_httpinput only contains the [http] stanza, but all the values from that stanza are listed as if global default settings.
For example the following output from the btool for the MonitorNoHandle stanza. The first line suggests this stanza is from the splunk_httpinput app, but is actually defined in the system-default-inputs.conf. Also the line *port = 8088* is showing in this as coming from the splunk_httpinput app - which is correct, but this is only defined under the HTTP stanza in that file. So it is strange that this is being taken as a global setting for another stanza.
Is there any explanation for this? or is btool just not 100% accurate? I can reproduce this issue by taking a completely standard UFW MSI file and installing on any Windows server. So does not appear to be a individual issue with my servers.
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf [MonitorNoHandle]
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf _rcvbuf = 1572864
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf baseline = 0
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf dedicatedIoThreads = 2
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf disabled = 1
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf enableSSL = 1
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dc_name =
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_dns_name =
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = win2k8r2
index = default
c:\Program Files\SplunkUniversalForwarder\etc\system\default\inputs.conf interval = 60
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf maxSockets = 0
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf maxThreads = 0
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf port = 8088
c:\Program Files\SplunkUniversalForwarder\etc\apps\splunk_httpinput\default\inputs.conf useDeploymentServer = 0
↧