All Apps and Add-ons

How to change the index for sysmon from deployment server?

dkordyban
Engager

I have 1 Splunk server. It is search head, indexer and deployment server. I have sysmon and splunk universal forwarder installed on my clients. I also have Splunk_TA_microsoft_sysmon installed under /opt/splunk/etc/apps. The app is installed on client.

The sysmon client logs are getting to indexer but they are going to main index. I want to change this to the sysmon index (newly created). I have tried creating a /local/inputs.conf file on deployment server with the

index = sysmon

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
index = sysmon

I expected it to change the  inputs.conf of the client side, but that never happens. It seems as thought the client is honoring another .conf file. I am not sure what I am missing. Any advise would be appreciated.

Labels (1)
0 Karma
1 Solution

PickleRick
Ultra Champion

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

View solution in original post

0 Karma

SinghK
Builder

The input that you have created on DS/INDEXER

should be on the client only  where UF is installed. And that should fix it.

 

0 Karma

SanjayReddy
Builder

Hi @dkordyban 

on deployment server you need create  config under etc/deployment-apps/  with app name same as app present in client side , you need to copy Splunk_TA_microsoft_sysmon app from client side to deployment server under etc/deployment-apps/ and make required  changes and push it from deployment server 

under serverclass.conf you need add restart=true  for sysmon client , so that splunkd restart to take new changes in effect 

richgalloway
SplunkTrust
SplunkTrust

Use btool on the client to learn which config file is setting the index name. 

splunk btool --debug inputs list WinEventLog

 

---
If this reply helps you, Karma would be appreciated.

PickleRick
Ultra Champion

In order to deploy apps from deployment server you have to have an app located under etc/deployment-apps, not etc/apps and have server classes defined properly so that the app is getting pushed to the clients.

See from https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Aboutdeploymentserver onwards

0 Karma

dkordyban
Engager

Thanks that was it. I should have been modifying etc/deployment-apps/local/inputs.conf on the server.

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...