Too many Splunk Forwarder Events in base Sysmon Config

[tbalz2319]

Hello,

We are using this config and really like it but we have noticed their are way too many Splunk forwarder events
event-id 11

and the image is Image="C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"

is their anyway I can exclude all of these? Do we need to run specific powershell commands ?

[Suirand1]

@tbalz2319 you can exclude these by creating new .xml file in 11_file_create folder and running the merge script. The content of the file can be something like this

<Sysmon schemaversion="4.30">
	<EventFiltering>
		<RuleGroup name="" groupRelation="or">
			<FileCreate onmatch="exclude">
				<Image condition="begin with">C:\Program Files\SplunkUniversalForwarder\bin\</Image>
			</FileCreate>
		</RuleGroup>
	</EventFiltering>
</Sysmon>

[tbalz2319]

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

[Suirand1]

Thank you I will try this out, what exactly merge command shall I use? I see a few different options

$> cd sysmon modular
$> . .\Merge-SysmonXml.ps1
$> Merge-AllSysmonXml -Path ( Get-ChildItem '[0-9]**.xml') -AsString | Out-File sysmonconfig.xml

[tbalz2319]

Thank you , I will try this out

[tbalz2319]

Just tried this and it did not seem to work,

The Splunk forwarder events for event-id 11 are still flowing non-stop

Do we need to specify a RulgeGroup name?