sysmon-modular icon indicating copy to clipboard operation
sysmon-modular copied to clipboard

Published 20 hours ago verified publisher icon olafhartong

Too many Splunk Forwarder Events in base Sysmon Config

Open tbalz2319 opened this issue 2 years ago • 5 comments

Hello,

We are using this config and really like it but we have noticed their are way too many Splunk forwarder events event-id 11

and the image is Image="C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"

is their anyway I can exclude all of these? Do we need to run specific powershell commands ?

tbalz2319 avatar Nov 23 '22 21:11 tbalz2319

@tbalz2319 you can exclude these by creating new .xml file in 11_file_create folder and running the merge script. The content of the file can be something like this

<Sysmon schemaversion="4.30">
	<EventFiltering>
		<RuleGroup name="" groupRelation="or">
			<FileCreate onmatch="exclude">
				<Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image>
			</FileCreate>
		</RuleGroup>
	</EventFiltering>
</Sysmon>

Suirand1 avatar Nov 25 '22 12:11 Suirand1

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

tbalz2319 avatar Nov 25 '22 15:11 tbalz2319

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

$> cd sysmon modular $> . .\Merge-SysmonXml.ps1 $> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | Out-File sysmonconfig.xml

Suirand1 avatar Nov 28 '22 11:11 Suirand1

Thank you , I will try this out

tbalz2319 avatar Nov 30 '22 08:11 tbalz2319

Just tried this and it did not seem to work,

The Splunk forwarder events for event-id 11 are still flowing non-stop

Do we need to specify a RulgeGroup name?

tbalz2319 avatar Jan 03 '23 23:01 tbalz2319