Removing Splunk forwarder from Windows hosts

2019-12-03 00:42:02 -08:00
parent b5070e593e
commit ee9a1f87fd
9 changed files with 98 additions and 51 deletions
--- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf
+++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
@@ -322,9 +322,9 @@ current_only = 0
 checkpointInterval = 5

 [WinEventLog://WEC6-Sysmon]
-sourcetype = WinEventLog:Sysmon
+sourcetype = "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
 source = WinEventLog:Sysmon
-index=wineventlog
+index=sysmon
 disabled = 0
 start_from = oldest
 current_only = 0