topic Connectivity issues in Getting Data In

Connectivity issues

VijaySrrie — Wed, 21 Jul 2021 09:51:49 GMT

Hi,

In Sandpit --> I have a multicluster environment created for testing

I have Windows Universal Forwarder --> From where I need to send sysmon logs to splunk

sysmon is successfully installed --> logging is enabled

In windows UF --> I have created inputs.conf and outputs.conf under Program Files --> SplunkUniversal forwarder--> etc--> system --> local

inputs.conf

[monitor://%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx]

index = main
sourcetype = web

outputs.conf

[tcpout]
defaultGroup=sysmon_server

[tcpout:sysmon_server]
server=FQDN:5986

Restarted the splunk

Added port 5986 into Heavy Forwarder of the clustered environment (9997 and 9998 ports were not getting connected to used 5986)

Index and sourcetype mentioned above are already there in HF.

--> Telnet is working

--> Phonehome logs are there

But sysmon logs are not getting ingested into splunk

Re: Connectivity issues

venkatasri — Wed, 21 Jul 2021 10:19:31 GMT

Hi @VijaySrrie

sysmon add-on having it's own inputs to be configured as below that pulls logs automatically. Your explicit monitor does not work as .evtx files are binary.

Try following settings in inputs conf, same you can find in default/ dir of add-on.

[WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = true renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational # Prevent forwarding of multiple DNSQuery logs based on complex rule groups # blacklist1 = EventCode="^22$" Message="(?i)QueryName:\s+(.*\.arpa\.)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\sysmon\.exe)$" # blacklist2 = EventCode="^22$" Message="(?i)QueryName:\s+(HelloWorld.local)\s+QueryStatus:\s+(\d+)\s+QueryResults:\s+(.*)\s+Image:\s+(c:\\windows\\system32\\ping\.exe)$”

---

An upvote would be appreciated and Accept solution if this reply helps!

Re: Connectivity issues

venkatasri — Wed, 21 Jul 2021 10:22:26 GMT

@VijaySrrie Copy the same contents to /local dir inputs conf and enable it add index that's all you need to do assuming your outputs conf are working you will be able to search logs with specified default source.

An upvote would be appreciated if this reply helps!

Re: Connectivity issues

VijaySrrie — Thu, 22 Jul 2021 04:04:35 GMT

@venkatasri its working ThanK you, do you have the doc from where you got the above config?

Re: Connectivity issues

venkatasri — Thu, 22 Jul 2021 10:06:00 GMT

@VijaySrrie can't find splunk docs i referred add-on default/ dir for conf specs.