![]() ![]() See Add data and configure inputs in Getting Data In.Įdit nf to configure forwarding To specify the data that you want to collect from the forwarder, you must separately configure the inputs, as you would for any Splunk instance. The topics that describe various forwarding topologies, such as load balancing and intermediate forwarding, provide detailed examples on configuring nf to support those topologies.Īlthough nf is a required file for configuring forwarders, it addresses only the outputs from the forwarder, where you want the forwarder to send the data it collects. ![]() You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit nf. = yyyy-MM-dd HH:mm:ss.The nf file defines how forwarders send data to receivers. ![]() Query = SELECT \r\n N'SystemCenterEndpointProtection' AS ,\r\n N'SecurityIncident' AS ,\r\n N'MalwareInfection' AS ,\r\n m.ResourceID as, \r\n sys.Netbios_Name0 as ,\r\n sys.Resource_Domain_OR_Workgr0 as ,\r\n m.DetectionTime AS ,\r\n m.DetectionTime as, \r\n m.ActionTime, \r\n m.ProductVersion, \r\n m.DetectionID, \r\n CASE \r\n WHEN m.DetectionSource = 0 THEN N'Unknown' \r\n WHEN m.DetectionSource = 1 THEN N'User' \r\n WHEN m.DetectionSource = 2 THEN N'System' \r\n WHEN m.DetectionSource = 3 THEN N'Realtime' \r\n WHEN m.DetectionSource = 4 THEN N'IOAV' \r\n WHEN m.DetectionSource = 5 THEN N'NIS' \r\n WHEN m.DetectionSource = 6 THEN N'BHO' \r\n END AS ,\r\n m.UserName as ,\r\n m.Process AS, \r\n m.Path AS file_path, \r\n ISNULL(metaData.Name,N'UnknownThreat') AS, \r\n IsNULL(sev.Severity,N'Unknown') AS, \r\n IsNULL(cat.Category,N'Invalid') AS category,\r\n CASE \r\n WHEN CleaningAction = 0 THEN N'Unknown' \r\n WHEN CleaningAction = 1 THEN N'Clean' \r\n WHEN CleaningAction = 2 THEN N'Quarantine' \r\n WHEN CleaningAction = 3 THEN N'Remove' \r\n WHEN CleaningAction = 6 THEN N'Allow' \r\n WHEN CleaningAction = 8 THEN N'UserDefined' \r\n WHEN CleaningAction = 9 THEN N'NoAction' \r\n WHEN m.CleaningAction = 10 THEN N'Block' \r\n END AS, \r\n CASE \r\n WHEN CleaningAction = 0 THEN N'unknown' \r\n WHEN CleaningAction = 1 THEN N'blocked' \r\n WHEN CleaningAction = 2 THEN N'blocked' \r\n WHEN CleaningAction = 3 THEN N'blocked' \r\n WHEN CleaningAction = 6 THEN N'allowed' \r\n WHEN CleaningAction = 8 THEN N'deferred' \r\n WHEN CleaningAction = 9 THEN N'allowed' \r\n WHEN m.CleaningAction = 10 THEN N'blocked' \r\n END AS ,\r\n CASE \r\n WHEN m.ActionSuccess =1 THEN N'True' \r\n ELSE N'False' \r\n END AS, \r\n m.ErrorCode AS, \r\n CASE \r\n WHEN m.PendingActions
0 Comments
Leave a Reply. |