Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can the Splunk Add-on for Sysmon work with a file input on a Heavy Forwarder ?

whardy
New Member
‎01-18-2023 01:41 AM

I would like to be able to configure the Splunk Add-on for Sysmon to ingest logs from a file instead of the Windows Event Log directly. The default input.conf in the Splunk Add-on for Sysmon App contains the following: 

[WinEventLog://WEC-Sysmon]
disabled = true
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype = XmlWinEventLog:WEC-Sysmon
host = WinEventLogForwardHost

I tried to override the input like so:

[monitor:///path/to/my_file/filename.log]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype = XmlWinEventLog:WEC-Sysmon
host = WinEventLogForwardHost

Unfortunately, it doesn't work and no logs appear to be sent by the Heavy Forwarder to my Indexer. the file I am using contains Windows Logs in a standard Windows Event Log XML format (1 per line). I want to be CIM compliant with my Sysmon logs but I cannot use a WinEventLog:// input, I have to use a file input.

Labels (3)
0 Karma
Reply

wmazur-splunk
Splunk Employee
Splunk Employee
‎01-18-2023 03:24 AM

Probably it won't work. 

Try "regular" approach: Settings -> Data Input -> Upload files from computer, select `XmlWinEventLog:WEC-Sysmon` as a source type in second step (Set Source Type).

You can select source type from any installed add-on. Splunk will try to digest the input according to the expected source type.

 

0 Karma
Reply

whardy
New Member
‎01-18-2023 06:55 AM

This is not an option since the file is constantly being updated with new logs and manually uploading the file is not an option.

0 Karma
Reply

wmazur-splunk
Splunk Employee
Splunk Employee
‎01-18-2023 08:06 AM

Splunk covers that as well. Select "Monitor" instead of "Upload".

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/MonitorfilesanddirectorieswithSplunkWeb.

https://youtu.be/b2Kztj03hBc

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...