Solved: How to import sysmon logs to Splunk?

onurasln55 · ‎09-02-2023

I choose source from forwarded input selection to input in splunk. I can't see sysmon in logs from source. I made the inputs.conf setting via forwarder, unfortunately I couldn't see it again. I have logs. There are forwarders. My other logs are coming. The sysmon log is not coming.

I would appreciate your help.

not sysmon log

onurasln55 · ‎09-14-2023

I found a solution by editing the inputs.conf file as follows.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

View solution in original post

onurasln55 · ‎09-14-2023

I found a solution by editing the inputs.conf file as follows.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

smurf · ‎09-04-2023

Hi,

Did you check your default index? It would be main if you didn't change it.

smurf

How to import sysmon logs to Splunk?

inputs.conf

universal forwarder

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud