All Apps and Add-ons
Highlighted

Sysmon App and Add-on installation failure

Loves-to-Learn

I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk 8.0.4.1).  I am running my development server on Ubuntu 18.04.4 LTS.

I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App.  I was getting an error for field extractions that said

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions/source::XmlWinEventLog:Microsoft-Windows-Sysmon//Operational : REPORT-sysmon". [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/TA-microsoft-sysmon/data/props/extractions/source%253A%253A...; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=source%3A%3AXmlWinEventLog%3AMicrosoft-Windows-Sysmon//Operational : REPORT-sysmon\'}]')

I removed both the App and the Add-on, and started again.  It looked like the App did not require the Add-on, so I only installed the app.  I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating.  I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.

I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.

I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.

I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).

In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).

I did configure and check that I was getting a LOT of events with sysmon.  I had used the information from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to configure Sysmon on my test workstation.

My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity.  With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources.  I would love to have a direction to move forward on getting both the app to work and security essentials to work.

Labels (2)
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.