Hi,
the app references the sourcetypes
[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
[WinEventLog:Security]
in props.conf.
But when the Splunk Windows TA is installed all the Windows source types are renamed to
xmlwineventlog
and props.conf should use source definitions:
Hi, the app references the sourcetypes [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] [WinEventLog:Microsoft-Windows-Sysmon/Operational] [WinEventLog:Security] in props.conf.
But when the Splunk Windows TA is installed all the Windows source types are renamed to xmlwineventlog and props.conf should use source definitions:
[source::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Microsoft-Windows-Sysmon/Operational] [source::WinEventLog:Security]
Otherwise a lot of definitions will not work.
Now that I fixed this, I finally see data arriving in the threathunting index.
cheers afx