Enable the inputs that you want the add-on to collect data for by setting the disabled attribute for those input stanzas to 0.Using a text editor, open the nf in local for editing.If %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\nf does not exist, create it.Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services. The input directly queries the Active Directory domain controllers. The input should only be enabled on one domain controller in a single domain. See upgrade the Splunk Add-on for Windows.īefore the Splunk Add-on for Windows can collect data, you must configure nf and change the disabled attribute for the stanzas you want to enable to 0. The nf file was removed in the Splunk Add-on for Windows version 5.0.0. SEDCMD-clean_rendering_info_block = s/(?s)(.*)// SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated+$//g SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates+$//g SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only+$//g SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated+$//g On your Splunk platform deployment, create or navigate to %SPLUNK_HOME%/etc/apps/Splunk_TA_windows/local/nf.For each one you want to use, uncomment the line. You can use the extractions by copying the lines beginning with SEDCMD- in these stanzas from default/nf and pasting them in local/nf. Remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events using SEDCMD. The explanation for each SEDCMD extraction is under the # Explanation line in each of the following stanzas:Ĭonfigure event cleanup best practices in nf The SEDCMD configurations are commented in default/nf. Windows 5.0.1 provides an option to remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events by using SEDCMD. To reduce index volume, use the following best practice. If you do not edit any files, the add-on does not collect any Windows data.įor more information about configuration files, see About configuration files in the Splunk Enterprise Admin Manual. Only modify input stanzas whose defaults you want to change. Create configuration files in the %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory and make your edits there. Do not edit the files in this directory because Splunk overwrites them whenever you upgrade the add-on. The default configuration files for the Splunk Add-on for Windows reside in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\default. See deploy the Splunk Add-on for Windows with Forwarder Management. You can configure the add-on manually or push a configuration with a deployment server. The Splunk Add-on for Windows must be configured with configuration files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |