I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.
The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the
index = sysmon
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon
I expected it to change the inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.
In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.
See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards
The input that you have created on DS/INDEXER
should be on the client only where UF is installed. And that should fix it.
Hi @dkordyban
on deployment server you need create config under etc/deployment-apps/ with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required changes and push it from deployment server
under serverclass.conf you need add restart=true for sysmon client , so that splunkd restart to take new changes in effect
Use btool on the client to learn which config file is setting the index name.
splunk btool --debug inputs list WinEventLog
In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.
See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards
Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.