All Apps and Add-ons

Sysmon App and Add-on installation failure

Path Finder

I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk  I am running my development server on Ubuntu 18.04.4 LTS.

I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App.  I was getting an error for field extractions that said

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions/source::XmlWinEventLog:Microsoft-Windows-Sysmon//Operational : REPORT-sysmon". [HTTP 404]; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=source%3A%3AXmlWinEventLog%3AMicrosoft-Windows-Sysmon//Operational : REPORT-sysmon\'}]')

I removed both the App and the Add-on, and started again.  It looked like the App did not require the Add-on, so I only installed the app.  I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating.  I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.

I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.

I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.

I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).

In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).

I did configure and check that I was getting a LOT of events with sysmon.  I had used the information from SwiftonSecurity ( to configure Sysmon on my test workstation.

My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity.  With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources.  I would love to have a direction to move forward on getting both the app to work and security essentials to work.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 1 release of new security content via the ...

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...