Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sysmon logs appear as binary/hex in Splunk how to fix?

bakeery
Loves-to-Learn
‎06-18-2025 12:41 PM

Hi all,

I’m using the Splunk Universal Forwarder on Windows to collect event logs. My inputs.conf includes the following configurations:

[WinEventLog://Security]
disabled = 0
index = win_log

[WinEventLog://System]
disabled = 0
index = win_log

[WinEventLog://Application]
disabled = 0
index = win_log

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
renderXml = true
index = win_log

 

The first three (Security, System, and Application) work perfectly and show readable, structured logs.

However, when I run:

index=win_log sourcetype=*sysmon*

I get logs in unreadable binary or hex format like:

\x00\x00**\x00\x00 \x00\x00@\x00\x00\x00\x00\x00\x00\xCE....

 How can I fix this and get properly parsed Sysmon logs (with fields like CommandLine, ParentProcess, etc.)?
splu.PNG

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎06-18-2025 11:14 PM

@bakeery 

Are you using sysmon add-on?

#https://splunkbase.splunk.com/app/5709

Also refer below #https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-the-Sysmon-Technology-Add-on-Parsing-my-Sy...

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

 

0 Karma
Reply

bakeery
Loves-to-Learn
‎06-19-2025 12:46 AM

No, I am not using a Splunk add-on I am using the Splunk forwarder to send the logs

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-18-2025 02:24 PM

Hi @bakeery 

Please can you confirm which UF version you are running on? There is a known issue (SPL-217199) in < 9.0.1 relating to WinEventLog sourcetype having encoded broken fields appended and I'm wondering if this could be related? 

See https://splunk.my.site.com/customer/s/article/Special-characters-in-sourcetype-for-windows-data-in-U... for more info.

If you are on <9.0.1 I would recommend upgrading to see if this resolves the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

bakeery
Loves-to-Learn
‎06-19-2025 12:44 AM

Thank you for your reply. I am using Splunk 9.4.2 which is the latest version as of now.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-18-2025 01:26 PM

It is highly improbable that the eventlog input mangles the events. I'd rather suspect that it's being ingested some different way. Since there is a UTF-16-encoded text there I'd suspect that apart from ingesting data from event log you're somehow trying to read the raw evtx file.

Or you've hit some bug in the UF.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...