Solved: Windows universal forwarder with a static config f...

ng87 · ‎01-06-2022

I was hoping if someone can help me. We are looking into deploying Sysmon and the Universal forwarder remotely in very specific circumstances ( suspicious activity on a host or by a user etc etc ) . I am struggling on being able to get the universal forwarder setup remotely. Essentially i just need the universal forwarder to forward the sysmon event logs ( Microsoft-Windows-Sysmon/Operational ) but i need to be able to do this remotely via command line or script.

I came across a Splunk article about setting up the forwarder with a static config which seemed good but looking into the config options it doesnt seem to allow you to specify what logs to collect - it gives you option of the usual Security , System , Application etc but doesnt appear to support anything else unless im mistaken?

Else anyone know if its possible to include a config file/parameters within the installer?

SinghK · ‎01-06-2022

you can download the addon splunk_ta_windows from splunk base and confugure using documetation availble here

https://splunkbase.splunk.com/app/742/

View solution in original post

SinghK · ‎01-06-2022

I have the powershell script to remotely install the forwarder and the copy splunk ta windows to to apps directory I can send it over tomorrow.

ng87 · ‎01-06-2022

so you can include the config options with you way ?

SinghK · ‎01-06-2022

yes

SinghK · ‎01-06-2022

you can download the addon splunk_ta_windows from splunk base and confugure using documetation availble here

https://splunkbase.splunk.com/app/742/

Windows universal forwarder with a static config for Sysmon logs

universal forwarder

Windows

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life