All Apps and Add-ons

Sysmon App and Add-on installation failure

state_larson_ti
Path Finder

I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk 8.0.4.1).  I am running my development server on Ubuntu 18.04.4 LTS.

I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App.  I was getting an error for field extractions that said

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions/source::XmlWinEventLog:Microsoft-Windows-Sysmon//Operational : REPORT-sysmon". [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/TA-microsoft-sysmon/data/props/extractions/source%253A%253A...; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=source%3A%3AXmlWinEventLog%3AMicrosoft-Windows-Sysmon//Operational : REPORT-sysmon\'}]')

I removed both the App and the Add-on, and started again.  It looked like the App did not require the Add-on, so I only installed the app.  I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating.  I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.

I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.

I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.

I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).

In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).

I did configure and check that I was getting a LOT of events with sysmon.  I had used the information from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to configure Sysmon on my test workstation.

My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity.  With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources.  I would love to have a direction to move forward on getting both the app to work and security essentials to work.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...