All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change the index for sysmon from deployment server?

dkordyban
Engager
‎02-11-2022 04:25 AM

I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.

The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the

index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon

I expected it to change the  inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-11-2022 04:46 AM

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

View solution in original post

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎02-11-2022 05:03 AM

The input that you have created on DS/INDEXER

should be on the client only  where UF is installed. And that should fix it.

 

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎02-11-2022 04:59 AM

Hi @dkordyban 

on deployment server you need create  config under etc/deployment-apps/  with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required  changes and push it from deployment server 

under serverclass.conf you need add restart=true  for sysmon client , so that splunkd restart to take new changes in effect 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-11-2022 04:54 AM

Use btool on the client to learn which config file is setting the index name. 

splunk btool --debug inputs list WinEventLog

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-11-2022 04:46 AM

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

0 Karma
Reply
Solved! Jump to solution

dkordyban
Engager
‎02-11-2022 08:16 AM

Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...