Skip to content
/ RemoteMonitoringSetup Public

PowerShell script to automate Windows monitoring setup with Sysmon, Splunk Universal Forwarder, and custom inputs/outputs configuration.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xlam/RemoteMonitoringSetup

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
SourceFolder
SourceFolder
 
 
FetchDependencies.ps1
FetchDependencies.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
RemoteMonitoringsetup.ps1
RemoteMonitoringsetup.ps1
 
 

Repository files navigation

🌐 Remote Monitoring Automation Script

📋 Overview

This PowerShell script automates the setup of:

  • 🖥️ Logging configuration
  • 🔍 Sysmon installation
  • 📡 Splunk Universal Forwarder deployment

It is designed to run remotely on target machines where you have administrative access.

⚠️ Script Assumptions / Prerequisites

  • PowerShell remoting is enabled on the remote system.
  • You have administrative access on the target machine.
  • This script assumes all required files are present and correctly placed. Missing files will cause deployment to fail.

📂 Required Files

Before running this script, place all required files in a single folder (SourceFolder).

File Source / Instructions
Sysmon.exe Microsoft Sysinternals: Download here
sysmonconfig-export.xml Example configuration from SwiftOnSecurity: GitHub link
YamatoSecurityConfigureWinEventLogs.bat Get it directly from YamatoSecurity: GitHub link
outputs.conf Splunk UF config file – see notes below
inputs.conf Splunk UF config file – see notes below
SplunkForwarder.msi Official Splunk: Download here

💡 Tip: Instead of downloading files manually, you can run the helper script to fetch dependencies automatically:

.\FetchDependencies.ps1 -Destination "C:\Path\To\SourceFolder"

👉 You’ll still need to manually download Splunk Forwarder from the official link above.

🚀 Setup

  1. 🛠️ Enable PowerShell remoting on the target machine (if not already enabled).
  2. 🔐 Ensure you have administrative rights on the remote machine.
  3. 📂 Copy all required files into one folder (your SourceFolder).
  4. ▶️ Run the deployment script:
.\DeployMonitoring.ps1 -ComputerName TARGET -SourceFolder "C:\Path\To\SourceFolder"

📝 Configuration Notes

inputs.conf: Replace <YOUR_INDEX> with your desired Splunk index for logs. Example:

index = <YOUR_INDEX>

outputs.conf: Replace <SPLUNK_INDEXER_IP> with your Splunk server IP. Example:

server = <SPLUNK_INDEXER_IP>:9997

These files act as templates; adjust them as needed for your environment.

✅ Expected Output

If the deployment succeeds, your console should show something like:

=== Starting deployment on <REMOTE-COMPUTER> ===
Step: CreateRemoteFolder, Status: Success
Step: SanityCheck, Status: Success
Step: LoggingScript, Status: Success
Step: SysmonInstallation, Status: Success
Step: SplunkForwarderInstallation, Status: Success
Step: Deploy_outputs.conf, Status: Success
Step: Deploy_inputs.conf, Status: Success
Cleaning up session...

🛠️ Notes

  • The script automatically adjusts Sysmon event log permissions so SplunkForwarder can read them without manual intervention.
  • Ensure all required files are present in SourceFolder before running.
  • Missing or misnamed files will stop the deployment.

About

PowerShell script to automate Windows monitoring setup with Sysmon, Splunk Universal Forwarder, and custom inputs/outputs configuration.

Topics

windows security automation monitoring deployment splunk powershell logging sysmon

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages