Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can the Splunk Add-on for Sysmon work with a file input on a Heavy Forwarder ?

whardy
New Member
‎01-18-2023 01:41 AM

I would like to be able to configure the Splunk Add-on for Sysmon to ingest logs from a file instead of the Windows Event Log directly. The default input.conf in the Splunk Add-on for Sysmon App contains the following: 

[WinEventLog://WEC-Sysmon]
disabled = true
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype = XmlWinEventLog:WEC-Sysmon
host = WinEventLogForwardHost

I tried to override the input like so:

[monitor:///path/to/my_file/filename.log]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype = XmlWinEventLog:WEC-Sysmon
host = WinEventLogForwardHost

Unfortunately, it doesn't work and no logs appear to be sent by the Heavy Forwarder to my Indexer. the file I am using contains Windows Logs in a standard Windows Event Log XML format (1 per line). I want to be CIM compliant with my Sysmon logs but I cannot use a WinEventLog:// input, I have to use a file input.

Labels (3)
0 Karma
Reply

wmazur-splunk
Splunk Employee
Splunk Employee
‎01-18-2023 03:24 AM

Probably it won't work. 

Try "regular" approach: Settings -> Data Input -> Upload files from computer, select `XmlWinEventLog:WEC-Sysmon` as a source type in second step (Set Source Type).

You can select source type from any installed add-on. Splunk will try to digest the input according to the expected source type.

 

0 Karma
Reply

whardy
New Member
‎01-18-2023 06:55 AM

This is not an option since the file is constantly being updated with new logs and manually uploading the file is not an option.

0 Karma
Reply

wmazur-splunk
Splunk Employee
Splunk Employee
‎01-18-2023 08:06 AM

Splunk covers that as well. Select "Monitor" instead of "Upload".

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorfilesanddirectorieswithSplunkWeb.

https://youtu.be/b2Kztj03hBc

 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top