All Apps and Add-ons

How to change the index for sysmon from deployment server?

dkordyban
Engager

I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.

The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the

index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon

I expected it to change the  inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

View solution in original post

0 Karma

SinghK
Builder

The input that you have created on DS/INDEXER

should be on the client only  where UF is installed. And that should fix it.

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @dkordyban 

on deployment server you need create  config under etc/deployment-apps/  with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required  changes and push it from deployment server 

under serverclass.conf you need add restart=true  for sysmon client , so that splunkd restart to take new changes in effect 

richgalloway
SplunkTrust
SplunkTrust

Use btool on the client to learn which config file is setting the index name. 

splunk btool --debug inputs list WinEventLog

 

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

0 Karma

dkordyban
Engager

Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...