olafhartong
commented
3 years ago this should be addressed in the props.conf now, thanks for letting me know!
Closed afxmac closed 3 years ago
olafhartong
commented
3 years ago this should be addressed in the props.conf now, thanks for letting me know!
Hi, the app references the sourcetypes [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] [WinEventLog:Microsoft-Windows-Sysmon/Operational] [WinEventLog:Security] in props.conf.
But when the Splunk Windows TA is installed all the Windows source types are renamed to xmlwineventlog and props.conf should use source definitions:
[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Security]
Otherwise a lot of definitions will not work.
Now that I fixed this, I finally see data arriving in the threathunting index.
cheers afx