Hello,
I have Splunk_TA_Windows App which deployed to many servers and UF's sends me specific security logs. But I want clone this app and set in inputs.conf additional events with exact account name. How can I clone and deploy two the same app with different setings for one server
Colleagues,
Maybe some one help me to find clarification?
hello there,
create a small app and call it something like windows_<my_inputs>_app
place an inputs.conf in the local directory of the new app and push the app to the relevant windows machines
hope it helps
Blockquote
hello there,
create a small app and call it something like windows__app
place an inputs.conf in the local directory of the new app and push the app to the relevant windows machines
hope it helps
I tried, but events doesn't sends to a new app
try to edit also app.conf in the "new" app. This is will make it kind of different.
How this can help me to receive additional specific events?
I think I need clone and change some settings and add a new index. Am I right?
lets say on your windows TA (original) you have this inputs.conf:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false
on your second app (the one you created) you can have this input (or any other input):
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false
now you can create new serverclass and set inputs as you want per group of hosts
It seems that I need first a copy original app folder and rename copied folder and then correct input file.
I tried it and it didn't help me too.
Sorry but I am not correct understand your message
not sure why your attempt did not work, here is what you can do:
from the deployment server gui -> manage apps (top left) -> create new app -> name it -> save / create
now the app is under the $SPLUNK_HOME/etc/apps/
folder
move the app to the deployment-apps
folder mv .../etc/apps/new_app .../etc/apps/deployment-apps
create new local folder (if there isn't any already) mkdir local .../etc/deployment-apps/new_app/local
create your new inputs.conf
in the new local directory vi .../etc/deployment-apps/new_app/local/inputs.conf
save it. navigate to forwarder management
in DS gui and see the new_app exists
create new serverclass, and add the new_app to it
thats it
Doesn't help 😞
I created a new one and did how you wrote. But logs send only one of two. If I try to remove this one from deploy app the second app starts to send logs. The two app can't works at the same time. Both apps looks into security event. May be because of this I have no receive logs from apps at the same times?
I created a new index with name wineventlog_4624 and try to send from second app logs to this index but it doesn't work.
input.conf for the second app:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 4624
index = wineventlog_4624
renderXml=false