Symantec is investigating at this time.
Possible configuration workarounds in order of greatest reduction/savings of CPU cycles:
- Identify which features of Splunk Universal Forwarder are unnecessary or overused in your environment, then change the Interval for one or more features of Splunk Universal Forwarder to disable or reduce the frequency of those features.
NOTE: Making these changes effective may require a scheduled restart of the splunk server which holds settings for the target instances of splunkd.exe
- Within SEDR, on the SEPM Controller connection, create process exclusions for features of Splunk Universal Forwarder which you seek to retain.
- Use divide and conquer methodology to isolate which Recording features create most CPU usage, then make decisions to balance CPU usage versus security needs. Create a SEP client group, add it to Recording Exceptions, and disable all event recording, then proceed through divide and conquer troubleshooting to evaluate which recording features add the most CPU usage, then decide how to balance CPU usage versus security.
To disable one or more features of Splunk Universal Forwarder
To create process exclusions for Splunk Universal Forwarder which you seek to retain
SEDR 4.4 and prior:
- On SEDR UI, navigate to Settings> Global
- Scroll down to the list of SEPM Controller connections
- On the line for the SEPM Controller connection you seek to modify, click the ellipses on the right side of the line, then click Recorder Exceptions
- Add exceptions for the following process names:
splunkd.exe
splunk-powershell.exe
- Add exceptions for the SHA256 hashes of these two executable files
SEDR 4.5 and later:
- On SEDR UI, navigate to Policies > Recorder
- Click the + sign to add a Recorder Rule
- Choose 'Disable Monitoring'
- Add the fully qualified actor path for the following process names:
splunkd.exe
splunk-powershell.exe
- Add exceptions for the SHA256 hashes of these two executable files