Too many Splunk Forwarder Events in base Sysmon Config

olafhartong / sysmon-modular

A repository of sysmon configuration modules

MIT License

2.66k stars 591 forks source link

Too many Splunk Forwarder Events in base Sysmon Config #153

Open tbalz2319 opened 1 year ago

tbalz2319 commented 1 year ago

Hello,

We are using this config and really like it but we have noticed their are way too many Splunk forwarder events event-id 11

and the image is Image="C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"

is their anyway I can exclude all of these? Do we need to run specific powershell commands ?

Suirand1 commented 1 year ago

@tbalz2319 you can exclude these by creating new .xml file in 11_file_create folder and running the merge script. The content of the file can be something like this

<Sysmon schemaversion="4.30">
    <EventFiltering>
        <RuleGroup name="" groupRelation="or">
            <FileCreate onmatch="exclude">
                <Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image>
            </FileCreate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>

tbalz2319 commented 1 year ago

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

Suirand1 commented 1 year ago

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

$> cd sysmon modular $> . .\Merge-SysmonXml.ps1 $> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]\.xml') -AsString | Out-File sysmonconfig.xml

tbalz2319 commented 1 year ago

Thank you , I will try this out

tbalz2319 commented 1 year ago

Just tried this and it did not seem to work,

The Splunk forwarder events for event-id 11 are still flowing non-stop

Do we need to specify a RulgeGroup name?