Solved: Heavy forwarder and sysmon

verifi81 · ‎07-25-2021

Hello friends,

Suppose I install Microsoft Sysmon on a Windows server.

I then go install the Universal Forwarder on the Windows server with the default settings. A deployment server is in the mix too if that matters.

My question is this. Will the Universal Forwarder know to pick up the Syslog events if using all default settings? Is that defined on the Deployment server?

venkatasri · ‎07-25-2021

Hi @verifi81

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled. DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

venkatasri · ‎07-25-2021

Hi @verifi81

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled. DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

venkatasri · ‎07-25-2021

@verifi81 sysmon settings have been shared here FYI - Solved: Re: Connectivity issues - Splunk Community

--

An upvote would be appreciated if this reply helps!

Heavy forwarder and sysmon

eval

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL