All Apps and Add-ons

How to clone Splunk_TA_Windows and use this both apps with different setings for one server

atyshke1
Path Finder

Hello,
I have Splunk_TA_Windows App which deployed to many servers and UF's sends me specific security logs. But I want clone this app and set in inputs.conf additional events with exact account name. How can I clone and deploy two the same app with different setings for one server

Tags (1)

atyshke1
Path Finder

Colleagues,
Maybe some one help me to find clarification?

0 Karma

adonio
Ultra Champion

hello there,

create a small app and call it something like windows_<my_inputs>_app
place an inputs.conf in the local directory of the new app and push the app to the relevant windows machines

hope it helps

0 Karma

atyshke1
Path Finder

Blockquote
hello there,

create a small app and call it something like windows__app
place an inputs.conf in the local directory of the new app and push the app to the relevant windows machines

hope it helps

I tried, but events doesn't sends to a new app

0 Karma

a_naoum
Path Finder

try to edit also app.conf in the "new" app. This is will make it kind of different.

0 Karma

atyshke1
Path Finder

How this can help me to receive additional specific events?
I think I need clone and change some settings and add a new index. Am I right?

0 Karma

adonio
Ultra Champion

lets say on your windows TA (original) you have this inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

on your second app (the one you created) you can have this input (or any other input):

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false

now you can create new serverclass and set inputs as you want per group of hosts

0 Karma

atyshke1
Path Finder

It seems that I need first a copy original app folder and rename copied folder and then correct input file.
I tried it and it didn't help me too.
Sorry but I am not correct understand your message

0 Karma

adonio
Ultra Champion

not sure why your attempt did not work, here is what you can do:
from the deployment server gui -> manage apps (top left) -> create new app -> name it -> save / create
now the app is under the $SPLUNK_HOME/etc/apps/ folder
move the app to the deployment-apps folder mv .../etc/apps/new_app .../etc/apps/deployment-apps
create new local folder (if there isn't any already) mkdir local .../etc/deployment-apps/new_app/local
create your new inputs.conf in the new local directory vi .../etc/deployment-apps/new_app/local/inputs.conf
save it. navigate to forwarder management in DS gui and see the new_app exists
create new serverclass, and add the new_app to it
thats it

0 Karma

atyshke1
Path Finder

Doesn't help 😞
I created a new one and did how you wrote. But logs send only one of two. If I try to remove this one from deploy app the second app starts to send logs. The two app can't works at the same time. Both apps looks into security event. May be because of this I have no receive logs from apps at the same times?

0 Karma

atyshke1
Path Finder

I created a new index with name wineventlog_4624 and try to send from second app logs to this index but it doesn't work.
input.conf for the second app:

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
whitelist1 = 4624
index = wineventlog_4624
renderXml=false

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...