Solved: Re: Heavy forwarder and sysmon

verifi81 · ‎07-25-2021

Hello friends,

Suppose I install Microsoft Sysmon on a Windows server.

I then go install the Universal Forwarder on the Windows server with the default settings. A deployment server is in the mix too if that matters.

My question is this. Will the Universal Forwarder know to pick up the Syslog events if using all default settings? Is that defined on the Deployment server?

venkatasri · ‎07-25-2021

Hi @verifi81

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled. DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

View solution in original post

venkatasri · ‎07-25-2021

Hi @verifi81

By default add-on having sysmon events disabled you shall deploy it UF either via DeploymentServer (DS) having it enabled. DS doesn't define anything it's the admin who supposed to enable it and put it on DS then whitelist the add-on to get deployed to UF that you wish to.

--

An upvote would be appreciated and Accept the solution if this reply helps!

venkatasri · ‎07-25-2021

@verifi81 sysmon settings have been shared here FYI - Solved: Re: Connectivity issues - Splunk Community

--

An upvote would be appreciated if this reply helps!

Heavy forwarder and sysmon

eval

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM