Solved: How to import sysmon logs to Splunk?

onurasln55 · ‎09-02-2023

I choose source from forwarded input selection to input in splunk. I can't see sysmon in logs from source. I made the inputs.conf setting via forwarder, unfortunately I couldn't see it again. I have logs. There are forwarders. My other logs are coming. The sysmon log is not coming.

I would appreciate your help.

forwarded event.png

not sysmon log

not systmon.png

sysmon log.png log name.png

onurasln55 · ‎09-14-2023

I found a solution by editing the inputs.conf file as follows.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

View solution in original post

onurasln55 · ‎09-14-2023

I found a solution by editing the inputs.conf file as follows.

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index= sysmon
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

smurf · ‎09-04-2023

Hi,

Did you check your default index? It would be main if you didn't change it.

smurf

How to import sysmon logs to Splunk?

inputs.conf

universal forwarder

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk