getting data from horizon provisioned desktops

We use Horizon View 7 from vmware and we deploy desktop pools with Windows 10 to our customers. I’m looking at doing this ([https://www.reddit.com/r/Splunk/comments/dbtl0r/integrate_universal_forwardeer_onto_system_image/](https://www.reddit.com/r/Splunk/comments/dbtl0r/integrate_universal_forwardeer_onto_system_image/) ) to get more data on VDI activity into Splunk:

1. On image, install splunk from CLI (use installer with LAUNCHSPLUNK=0)
2. Then use PowerShell to run ./splunk clone-prep-clear-config,
3. Then set splunkd service to automatic,
4. Then on clone, run CLI: splunk restart (then confirm $SPLUNK_HOME\cloneprep file has been deleted.

Planning to script this (simple .bat file maybe?) and push them via 2 gpos to deploy at startup — 1 going to parent vm’s OU, the other to the clones’ OU.

Splunk’s config (inputs.conf) would set the index and have the Windows security, system & application log monitoring, and maybe also some Horizon View log monitoring… or some kind of directory access monitoring… not sure of the specifics there yet… so we can report on users’ activity in the desktop pool.

Anyone else doing this and/or have experience/ideas they’d like share?

View Reddit by kkmcuncView Source

Related Articles

One Comment

  1. I do something similar in my VDI environment with Log Insight. Probably less complicated than what you’re planning, but it looks like you can get more data your way.

    Sorry I don’t have much to offer, but you’ve got a good idea if you can narrow down what to want to get from Splunk. It’s a pretty low effort, high value setup. I’d be interested to see how you end up using the data you gather from this.

Leave a Reply

Your email address will not be published. Required fields are marked *