Hi everyone,
I'm trying to forward Sysmon event logs from a Windows Server to Splunk with a Universal Forwarder installed on the Windows machines. I've successfully forwarded security event logs with the same forwarder, so I'm confident there are no network connectivity issues. Sysmon events are created as expected and exist in the Event Viewer.
In my setup, I'm sending Sysmon events from my Windows clients to a WEF server, which collects all the logs. This part works fine. My Splunk deployment is a single server deployed on Rocky Linux. I installed the Splunk UF with a network user account, so it should have access to any event log.
When I try to add a new "Windows Event Logs" input, I only have options to choose from the following event channels:
I've tried adding the input manually to the app in the file located at:
/opt/splunk/etc/deployment-apps/_server_app_WindowsServers/local/inputs.conf
Security logs are sent, but Sysmon logs are not. Here's the content of the file:
[WinEventLog://Security] index = win_servers [WinEventLog://Microsoft-Windows-Sysmon/Operational] index = win_servers checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest renderXml = true
I've tried various options following some tutorials, but nothing worked.
I also tried copying the content of this file to $SPLUNK_HOME\etc\apps_server_app_WindowsServers on the Windows server with the UF, but the results are the same.
Any insights into this issue would be greatly appreciated. I'm sure I'm missing something here.
Thank you in advance, Yossi
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges
Have a look at these links, they have some information on permissions for local accounts.
https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata
any ideas? i am still not able to make it work
You say you have network user account - I would first start by using a local system account if you can. To me it sounds like a user permissions / access type of issue - sometimes the GPO if used can prevent access or less privileges
Have a look at these links, they have some information on permissions for local accounts.
https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/MonitorWMIdata
Thank you so much! this is actually solve the issue, i though it could be permissions issue with the virtual account and tried even domain admin but nothing was change. with local admin user running the service it's start working.
Edit: it is actually work but not through the sysmon app so i am getting pretty ugly format of sysmon. will keep investigate it.
thank you again
You didn't mention that you have are using the sysmon add-on, if not download and check the inputs.conf - start with those settings, must something in there. (your inputs looks ok but I think the other setting is source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
https://splunkbase.splunk.com/app/5709
I actually install this app, but nothing was changed. i also try this other syntax.