All Apps and Add-ons

Unable to forward Sysmon from windows through Splunk UF

yossia
Explorer

Hi everyone,

I'm trying to forward Sysmon event logs from a Windows Server to Splunk with a Universal Forwarder installed on the Windows machines. I've successfully forwarded security event logs with the same forwarder, so I'm confident there are no network connectivity issues. Sysmon events are created as expected and exist in the Event Viewer.

In my setup, I'm sending Sysmon events from my Windows clients to a WEF server, which collects all the logs. This part works fine. My Splunk deployment is a single server deployed on Rocky Linux. I installed the Splunk UF with a network user account, so it should have access to any event log.

When I try to add a new "Windows Event Logs" input, I only have options to choose from the following event channels:

  • Application
  • ForwardedEvents
  • Security
  • Setup
  • System

I've tried adding the input manually to the app in the file located at:

/opt/splunk/etc/deployment-apps/_server_app_WindowsServers/local/inputs.conf

Security logs are sent, but Sysmon logs are not. Here's the content of the file:

[WinEventLog://Security]
index = win_servers

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = win_servers
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
renderXml = true

I've tried various options following some tutorials, but nothing worked.

I also tried copying the content of this file to $SPLUNK_HOME\etc\apps_server_app_WindowsServers on the Windows server with the UF, but the results are the same.

Any insights into this issue would be greatly appreciated. I'm sure I'm missing something here.

Thank you in advance, Yossi

Labels (1)
0 Karma
1 Solution

deepakc
Builder

You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges

Have a look at these links, they have some information on permissions for local accounts. 

https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfro...


https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow...

 

https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata

 

 

View solution in original post

yossia
Explorer

any ideas? i am still not able to make it work

0 Karma

deepakc
Builder

You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges

Have a look at these links, they have some information on permissions for local accounts. 

https://docs.splunk.com/Documentation/Forwarder/9.2.1/Forwarder/InstallaWindowsuniversalforwarderfro...


https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow...

 

https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata

 

 

yossia
Explorer

Thank you so much! this is actually solve the issue, i though it could be permissions issue with the virtual account and tried even domain admin but nothing was change. with local admin user running the service it's start working.

Edit: it is actually work but not through the sysmon app so i am getting pretty ugly format of sysmon. will keep investigate it.

thank you again

0 Karma

deepakc
Builder

You didn't mention that you have are using the sysmon add-on, if not download and check the inputs.conf - start with those settings, must something in there. (your inputs looks ok but I think the other setting is source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 

https://splunkbase.splunk.com/app/5709 

yossia
Explorer

I actually install this app, but nothing was changed. i also try this other syntax.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...