All Apps and Add-ons

add on for microsoft sysmon

Communicator

I have clustered environment.

3 indexers with cluster-master,search head(member of cluster) and one heavy forwarder.

I want to configure Add-on for Microsoft Sysmon.

0 Karma

SplunkTrust
SplunkTrust

The add-on is available here on Splunkbase.

Please follow the provided instructions.

You might also want to read this part about "How to ask good questions".

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma

Communicator

I believe my question was not understood properly.
let me share more details here.
I have clustered environment.
I downloaded the "Add on for Microsoft sysmon".
1- I install the app in search head( it is a part of indexer cluster)
2- I place the TA-Microsoft-sysmon on clustermaster under /opt/splunk/etc/master-apps/

My question is

1- am i suppose to install or copy the TA to heavy forwarder as well.
or optionally, I can directly pointed to one of the indexer peer.

2- do I need to create the indexes.conf file as well. if yes then where ..?

Please advise.

0 Karma

SplunkTrust
SplunkTrust

I believe you didn't ask a question at the beginning 😉
This is now much more helpful.

You only need to install the TA on the search heads - it doesn't have any index-time config, so no need to put it on the indexers or heavy forwarders.

However, you have to distribute it to any Windows UF (via deployment server) that's supposed to actually collect sysmon data.

Regarding the index - the TA has a default inputs.conf, but it defines no index, so by default your data would go to the index main.
That is usually not what you want - so create an inputs.conf on your UFs/deployment server, and only put in these lines:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = yourindex

That index has to exist, you can use an existing one or create a new one - for that follow the docs on how to create an index in a clustered environment.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Communicator

It is very helpful.
further to that

1- the workstation where I install sysmon, previously I was receiving the event logs(application, system and security) into os_windows1 index.

Now I am only receiving the sysmon logs.
somewhere i saw these logs as xml format. how can we approach that.

Is that possible that I can send all these logs types(application, system, security and sysmon to os_windows1 index.

my inputs.conf :

[default]
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = os_windows1

0 Karma

SplunkTrust
SplunkTrust

Your inputs.conf stanza just needs an entry like this:

renderXml = True

You can also add other WinEventLog lines for application, system, security, etc. - did you remove them from your inputs.conf?

Communicator

no I didnot remove any line.
below is my original input.conf file.

[default]
host = Gxx-x-79
index=os_windows1


so now if I want to add (security logs as well) then what should I write.

0 Karma

SplunkTrust
SplunkTrust

You can find more about this in this doc.

It's basically one input stanza per Windows log category, like this:

[WinEventLog://Security]

See the doc for more details.

Communicator

🙂 I was just going to write you.
actually during UF installation, I select application, system and security logs.

might be because of that they get pre-configured. however I install UF on another machine with simple setup and then I configure these parameters manually in \local\input.conf

============
One question:

regardless of my previous configuration
can I add [WinEventLog://Security] manually in inputs.conf file... ?

0 Karma

SplunkTrust
SplunkTrust

Sure you can. If you select it during install, it should be put into etc/system/local/inputs.conf

0 Karma