All Apps and Add-ons

TA-microsoft-sysmon on Forwarders (UFs) - add a output.conf ?

spunk311z
Path Finder

Im a bit new to deploying forwarders on endpoints i manage (im not new to splunk)-

Many guides i see (including the install instructions for this sysmon TA), state that you should deploy this TA onto your forwarders.

To do this, the user will need to manually create a outputs.conf file (w indexer IP/dns) and place it in: \TA-microsoft-sysmon\default\

So why is there not a default/blank output.conf file located in \TA-microsoft-sysmon\default\ , from the start?
(or even a blank file, with just a #nothing line? I get that the devs dont know the IP / DNS of our indexers).

(im not complaining about this , im asking this incase im missing something and so that i can better understand, as it would seem to me a majority of users of this TA will be deploying it on forwarders as well as their indexer- so im wondering why there is not a outputs.conf "place holder").
thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...