I have a server with Splunk and one PC with sysmon and universal forwarder
This is my C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
index = windows
[WinEventLog://System]
disabled = false
renderXml = 0
index = windows
[WinEventLog://Application]
disabled = false
renderXml = 0
index = windows
[WinEventLog://Security]
disabled = false
renderXml = 0
index = windows
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false
renderXml = 0
index = windows
[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
disabled = false
renderXml = 0
index = windows
Is it okey???
What is the inputs file that needs to be modified, C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf or inputs.conf in sysmon app?
Hi!
This is my C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational index = windows
[WinEventLog://System] disabled = false renderXml = 0 index = windows
[WinEventLog://Application] disabled = false renderXml = 0 index = windows
[WinEventLog://Security] disabled = false renderXml = 0 index = windows
[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = false renderXml = 0 index = windows
[WinEventLog://Microsoft-Windows-Windows Firewall With Advanced Security/Firewall] disabled = false renderXml = 0 index = windows