We use Horizon View 7 from vmware and we deploy desktop pools with Windows 10 to our customers. I’m looking at doing this ([https://www.reddit.com/r/Splunk/comments/dbtl0r/integrate_universal_forwardeer_onto_system_image/](https://www.reddit.com/r/Splunk/comments/dbtl0r/integrate_universal_forwardeer_onto_system_image/) ) to get more data on VDI activity into Splunk:
1. On image, install splunk from CLI (use installer with LAUNCHSPLUNK=0)
2. Then use PowerShell to run ./splunk clone-prep-clear-config,
3. Then set splunkd service to automatic,
4. Then on clone, run CLI: splunk restart (then confirm $SPLUNK_HOME\cloneprep file has been deleted.
Planning to script this (simple .bat file maybe?) and push them via 2 gpos to deploy at startup — 1 going to parent vm’s OU, the other to the clones’ OU.
Splunk’s config (inputs.conf) would set the index and have the Windows security, system & application log monitoring, and maybe also some Horizon View log monitoring… or some kind of directory access monitoring… not sure of the specifics there yet… so we can report on users’ activity in the desktop pool.
Anyone else doing this and/or have experience/ideas they’d like share?
View Reddit by kkmcunc – View Source