All Apps and Add-ons

How to change the index for sysmon from deployment server?

dkordyban
Engager

I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.

The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the

index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon

I expected it to change the  inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.

Labels (1)
0 Karma
1 Solution

PickleRick
Ultra Champion

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

View solution in original post

0 Karma

SinghK
Builder

The input that you have created on DS/INDEXER

should be on the client only  where UF is installed. And that should fix it.

 

0 Karma

SanjayReddy
Builder

Hi @dkordyban 

on deployment server you need create  config under etc/deployment-apps/  with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required  changes and push it from deployment server 

under serverclass.conf you need add restart=true  for sysmon client , so that splunkd restart to take new changes in effect 

richgalloway
SplunkTrust
SplunkTrust

Use btool on the client to learn which config file is setting the index name. 

splunk btool --debug inputs list WinEventLog

 

---
If this reply helps you, an upvote would be appreciated.

PickleRick
Ultra Champion

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

0 Karma

dkordyban
Engager

Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...