I have successfully installed sysmon and verified the schemaversion matches the schemaversion in the config file (sysmonconfig-export.xml by SwiftonSecurity). I have confirmed that sysmon is running in event viewer (Application and Service Logs > Microsoft > Windows > Sysmon > Operational).
I downloaded and installed the TA-microsoft-sysmon on the search head I use.
I also copied the TA-sysmon folder to the deployment server (\Splunk\etc\deployment-apps\TA-microsoft-sysmon) and then deployed it to my UF running on my test host.
I ran my handy query
|tstats values(sourcetype) WHERE index=* by index
and noticed the data was rolling into the default main index...
How do I change the index to winsysmon ? or does anyone have a better idea which index the sysmon data should go in?
Thank you
↧