Install the Splunk Add-on for Sysmon¶
-
To get the Splunk Add-On for Sysmon, perform one of the actions:
- Download it from Splunkbase.
- Browse for it using the app browser within Splunk Web.
-
Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing if required, as specified in the tables below.
- Complete your installation.
If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed deployments¶
Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on¶
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. For more information, see Where to install Splunk add-ons in Splunk Add-ons.
Install the Splunk Add-on for Sysmon on Windows endpoints where the data should be collected from regardless of the Splunk role the machine possesses.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
| Splunk platform instance type | Supported | Required | Actions required / Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads where Sysmon knowledge management is required. |
| Indexers | Yes | Yes | |
| Heavy Forwarders | Yes | See Comments | This add-on supports forwarders of any type for data collection. The forwarder needs to be installed directly on the monitored Microsoft Windows endpoint or Windows Event Collector for WEF/WEC architecture. |
| Universal Forwarders | Yes | See Comments | This add-on supports forwarders of any type for data collection. The forwarder needs to be installed directly on the monitored Microsoft Windows endpoint or Windows Event Collector for WEF/WEC architecture. |
| Splunk Cloud | Yes | See Comments | This product is compatible with Self Service App Install (SSAI). See your Splunk Cloud administrator for more information. |
Distributed deployment feature compatibility¶
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Actions required / Comments |
|---|---|---|
| Search Head Clusters | Yes | |
| Indexer Clusters | Yes | |
| Deployment Server | Yes | Supported for deploying the configured add-on to multiple forwarders for local data collection using Windows Event Monitoring. |
Installation walkthroughs¶
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario: