trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removing Splunk forwarder from Windows hosts

Browse Source
This commit is contained in:
Chris Long
2019-12-03 00:42:02 -08:00
parent b5070e593e
commit ee9a1f87fd
9 changed files with 98 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
Vagrant/resources/splunk_forwarder/inputs.conf
View File

@@ -1,29 +0,0 @@
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = sysmon
disabled = false
renderXml = true
[monitor://c:\Program Files\osquery\log\osqueryd.results.log]
index = osquery
disabled = false
sourcetype = osquery:json
[monitor://c:\Program Files\osquery\log\osqueryd.snapshots.log]
index = osquery
disabled = false
sourcetype = osquery:json
[monitor://c:\Program Files\osquery\log\osqueryd.INFO.*]
index = osquery-status
disabled = false
sourcetype = osquery-info:syslog
[monitor://c:\Program Files\osquery\log\osqueryd.WARNING.*]
index = osquery-status
disabled = false
sourcetype = osquery-warn:syslog
[monitor://c:\Program Files\osquery\log\osqueryd.ERROR.*]
index = osquery-status
disabled = false
sourcetype = osquery-error:syslog

4
Vagrant/resources/splunk_forwarder/wef_inputs.conf
View File

@@ -322,9 +322,9 @@ current_only = 0
checkpointInterval = 5
[WinEventLog://WEC6-Sysmon]
sourcetype = WinEventLog:Sysmon
sourcetype = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
source = WinEventLog:Sysmon
index=wineventlog
index=sysmon
disabled = 0
start_from = oldest
current_only = 0