4.2 KiB
4.2 KiB
https://youtu.be/39iVugb9Y0c?si=Ob3HDfruGSvRYO5x&t=396
create a share in DC that everyone can access
put all files in DC directory
Only for Splunk
splunkUF.msi
inputs.conf
Only for Security Onion
winlogbeat.yml - https://github.com/elastic/beats/blob/main/winlogbeat/winlogbeat.yml
winlogbeat.msi
Only for sysmon
sysmon.exe
sysmonconfig.xml
splunk UF
group policy management
(Your Organizational Unit) > new gpo
name:Install Splunk Universal Forwarder
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\splunkUF\inputs.conf
destination file: \ProgramData\splunkUF\inputs.conf
preferences > control panel setttings > services
new > service
startup: automatic
service name: splunkUF.msi
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
Splunk UF config
GPO setup
new gpo
startup scripts
DeploySplunk.bat
sysmon
group policy management
all workstations > new gpo
name:Install Sysmon
edit
policies > software setting > software installation
specify msi from netlogon share
preferences > windows settings > files
new > file
action: replace
source file(s): \\dc\NETLOGON\sysmon\sysmonconfig.xml
destination file: \ProgramData\sysmon\sysmonconfig.xml
preferences > control panel setttings > services
new > service
startup: automatic
service name: sysmon.exe
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
Sysmon config
GPO setup
new gpo
startup scripts
DeploySysmon.bat
Winlogbeat
group policy management
(Your Organizational Unit) > new gpo
name:Install Winlogbeat
source starter gpo: none
(right click) edit
Computer policies > software setting > software installation
(right click) new
specify splunk msi from netlogon share
preferences > windows settings > files
(right click) new > file
action: replace
source file(s): \\dc\NETLOGON\winlogbeat\winlogbeat.yml
destination file: \ProgramData\Elastic\winlogbeat\winlogbeat.yml
preferences > control panel setttings > services
new > service
startup: automatic
service name: Elastic winlogbeat-Oss 7.#.#
service action: start service
Recovery
first failure: restart the service
second failure: restart the service
subsequent failures: restart the service
restart service every 5 minutes
the scripts both install splunk and sysmon, dropping a "flag.txt" file to confirm it's been run. if the flag file is there (it's a startup script) it won't run the installer again (it would be redundant)
so if the flag file is there it won't run the installer
if it is not ran, the installer will run and drop the flag file
good for troubleshooting too IMO cuz you can delete the file and run it again if you have changes