All Apps and Add-ons

How to change the index for sysmon from deployment server?

dkordyban
Engager

I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.

The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the

index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon

I expected it to change the  inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

View solution in original post

0 Karma

SinghK
Builder

The input that you have created on DS/INDEXER

should be on the client only  where UF is installed. And that should fix it.

 

0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @dkordyban 

on deployment server you need create  config under etc/deployment-apps/  with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required  changes and push it from deployment server 

under serverclass.conf you need add restart=true  for sysmon client , so that splunkd restart to take new changes in effect 

richgalloway
SplunkTrust
SplunkTrust

Use btool on the client to learn which config file is setting the index name. 

splunk btool --debug inputs list WinEventLog

 

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

0 Karma

dkordyban
Engager

Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...