Splunk Search

Heavy forwarder and sysmon

verifi81
Path Finder

Hello friends,

 

Suppose I install Microsoft Sysmon on a Windows server.  

I then go install the Universal Forwarder on the Windows server with the default settings.  A deployment server is in the mix too if that matters.  

My question is this.  Will the Universal Forwarder know to pick up the Syslog events if using all default settings? Is that defined on the Deployment server?

Labels (1)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust

Hi @verifi81 

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled.  DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @verifi81 

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled.  DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@verifi81 sysmon settings have been shared here FYI - Solved: Re: Connectivity issues - Splunk Community

--

An upvote would be appreciated if this reply helps!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...