Hi everyone,

I'm trying to forward Sysmon event logs from a Windows Server to Splunk with a Universal Forwarder installed on the Windows machines. I've successfully forwarded security event logs with the same forwarder, so I'm confident there are no network connectivity issues. Sysmon events are created as expected and exist in the Event Viewer.

In my setup, I'm sending Sysmon events from my Windows clients to a WEF server, which collects all the logs. This part works fine. My Splunk deployment is a single server deployed on Rocky Linux. I installed the Splunk UF with a network user account, so it should have access to any event log.

When I try to add a new "Windows Event Logs" input, I only have options to choose from the following event channels:

• Application
• ForwardedEvents
• Security
• Setup
• System

I've tried adding the input manually to the app in the file located at:

/opt/splunk/etc/deployment-apps/_server_app_WindowsServers/local/inputs.conf

Security logs are sent, but Sysmon logs are not. Here's the content of the file:

[WinEventLog://Security]
index = win_servers

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index = win_servers
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
renderXml = true

I've tried various options following some tutorials, but nothing worked.

I also tried copying the content of this file to $SPLUNK_HOME\etc\apps_server_app_WindowsServers on the Windows server with the UF, but the results are the same.

Any insights into this issue would be greatly appreciated. I'm sure I'm missing something here.

Thank you in advance, Yossi