topic Re: Why isn't the Sysmon Technology Add-on Parsing my Sysmon Logs? in Getting Data In

Why isn't the Sysmon Technology Add-on Parsing my Sysmon Logs?

cbenn7 — Thu, 08 Feb 2018 21:30:18 GMT

What needs to happen in order for SysmonTA to parse the Windows Sysmon Event Logs? Here is the output I get when I try to upload the file manually:

I select - "Sourcetype XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" from the Sourcetype List
Splunk displays error "Not Found"
All I see in the Parsing Preview in the Right Pane is "ElfFile\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."
If I try to leave the Sourcetype Picker at the default of win-event-preprocessor, it will only parse a fraction of the fields, for example:
List item

02/07/2018 08:25:27 PM
LogName=E:\Splunk\var\run\splunk\upload\A6BBADBE-19F4-4252-BDB1-5D5B748B5244
SourceName=Microsoft-Windows-Sysmon
EventCode=5
EventType=4
Type=Information
ComputerName=win-srv
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=5
CategoryString=none
RecordNumber=18
Message=
If I try to monitor the whole directory and select "Automatic" sourcetype determination, it will parse with "Elf\x00\x00." as if it was plaintext log data.

I am using the default props/transforms files that are included with TASysmon version 6.07, and also tried version 6.05.

Here is what I have tried to fix:

Adding a "local" directory with the same files as "default" in the app folder.
Changing the inputs in the local folder to monitor a particular directory with my Sysmon Log.
Adding the props/transforms from the Add-On to ../system/local folders

Any help would be appreciated. I truly thought this would be a simpler task!

Re: Why isn't the Sysmon Technology Add-on Parsing my Sysmon Logs?

dstaulcu — Fri, 09 Feb 2018 00:11:11 GMT

The add-on for Microsoft Systmon (https://splunkbase.splunk.com/app/1914) assumes that your sysmon events are forwarded by the splunk-wineventlog handler and rendered as xml. I can see from the value of the LogName field in your example that you are aggregating the input from an unexpected input source and thus the format is likely unhanded.

Re: Why isn't the Sysmon Technology Add-on Parsing my Sysmon Logs?

cbenn7 — Fri, 09 Feb 2018 02:26:55 GMT

It appears that using the default "winevtx-preprocessor" source type in combination with installing Sysmon on the Splunk Server did the trick. If Sysmon is not installed, the events seem to either truncate after the "Message=" or Splunk will write an error into each event explaining it doesn't understand the event message format.

I can't say for certain if some of the other steps I mentioned before helped these parse, but fortunately it is working now.