I've setup windows defender TA on splunk light using these instructions:
https://answers.splunk.com/answers/557366/a-guide-to-installing-a-splunk-ta-at-command-line.html
When I try to setupa data input I can see Microsoft-Windows-Windows Defender/Operational but when I try to enable it I get the follwing error:
Error occurred attempting to enable Microsoft-Windows-Windows Defender/Operational: In handler 'remote_eventlogs': Data could not be written: /nobody/TA-microsoft-windefender/inputs/WinEventLog://Microsoft-Windows-Windows Defender/Operational/disabled: 0.
Solution found myself. It's caused by permissions issues. There's an inputs conf file which won't allow changes to be made to it.
Here's the solution...
Copied input Conf file to desktop from:
C:\Program Files\Splunk\etc\deployment-apps\TA-microsoft-windefender\default\inputs.conf
Opened on the desktop with notepad:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = true
renderXml = 1
Changed disabeld = true to disabled = 0
Saved as a conf file and pasted over the existing conf file overwriting it.
Windows defender event log now says enabled.
Solution found myself. It's caused by permissions issues. There's an inputs conf file which won't allow changes to be made to it.
Here's the solution...
Copied input Conf file to desktop from:
C:\Program Files\Splunk\etc\deployment-apps\TA-microsoft-windefender\default\inputs.conf
Opened on the desktop with notepad:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = true
renderXml = 1
Changed disabeld = true to disabled = 0
Saved as a conf file and pasted over the existing conf file overwriting it.
Windows defender event log now says enabled.
@cubicmotion If your problem is resolved, please accept the answer to help future readers.