Sysmon App and Add-on installation failure

state_larson_ti — Fri, 26 Jun 2020 16:05:36 GMT

I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk 8.0.4.1). I am running my development server on Ubuntu 18.04.4 LTS.

I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App. I was getting an error for field extractions that said

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions/source::XmlWinEventLog:Microsoft-Windows-Sysmon//Operational : REPORT-sysmon". [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/TA-microsoft-sysmon/data/props/extractions/source%253A%253AXmlWinEventLog%253AMicrosoft-Windows-Sysmon%252F%252FOperational%20%3A%20REPORT-sysmon?safe_encoding=1; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=source%3A%3AXmlWinEventLog%3AMicrosoft-Windows-Sysmon//Operational : REPORT-sysmon\'}]')

I removed both the App and the Add-on, and started again. It looked like the App did not require the Add-on, so I only installed the app. I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating. I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.

I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.

I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.

I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).

In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).

I did configure and check that I was getting a LOT of events with sysmon. I had used the information from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to configure Sysmon on my test workstation.

My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity. With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources. I would love to have a direction to move forw

topic Sysmon App and Add-on installation failure in Getting Data In

Sysmon App and Add-on installation failure