This PowerShell script automates the setup of:
- π₯οΈ Logging configuration
- π Sysmon installation
- π‘ Splunk Universal Forwarder deployment
It is designed to run remotely on target machines where you have administrative access.
- PowerShell remoting is enabled on the remote system.
- You have administrative access on the target machine.
- This script assumes all required files are present and correctly placed. Missing files will cause deployment to fail.
Before running this script, place all required files in a single folder (SourceFolder).
| File | Source / Instructions |
|---|---|
| Sysmon.exe | Microsoft Sysinternals: Download here |
| sysmonconfig-export.xml | Example configuration from SwiftOnSecurity: GitHub link |
| YamatoSecurityConfigureWinEventLogs.bat | Get it directly from YamatoSecurity: GitHub link |
| outputs.conf | Splunk UF config file β see notes below |
| inputs.conf | Splunk UF config file β see notes below |
| SplunkForwarder.msi | Official Splunk: Download here |
π‘ Tip: Instead of downloading files manually, you can run the helper script to fetch dependencies automatically:
.\FetchDependencies.ps1 -Destination "C:\Path\To\SourceFolder"π Youβll still need to manually download Splunk Forwarder from the official link above.
- π οΈ Enable PowerShell remoting on the target machine (if not already enabled).
- π Ensure you have administrative rights on the remote machine.
- π Copy all required files into one folder (your
SourceFolder). βΆοΈ Run the deployment script:
.\DeployMonitoring.ps1 -ComputerName TARGET -SourceFolder "C:\Path\To\SourceFolder"inputs.conf: Replace <YOUR_INDEX> with your desired Splunk index for logs. Example:
index = <YOUR_INDEX>
outputs.conf: Replace <SPLUNK_INDEXER_IP> with your Splunk server IP. Example:
server = <SPLUNK_INDEXER_IP>:9997
These files act as templates; adjust them as needed for your environment.
If the deployment succeeds, your console should show something like:
=== Starting deployment on <REMOTE-COMPUTER> ===
Step: CreateRemoteFolder, Status: Success
Step: SanityCheck, Status: Success
Step: LoggingScript, Status: Success
Step: SysmonInstallation, Status: Success
Step: SplunkForwarderInstallation, Status: Success
Step: Deploy_outputs.conf, Status: Success
Step: Deploy_inputs.conf, Status: Success
Cleaning up session...
- The script automatically adjusts Sysmon event log permissions so SplunkForwarder can read them without manual intervention.
- Ensure all required files are present in
SourceFolderbefore running. - Missing or misnamed files will stop the deployment.