Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON formatted Sysmon in Splunk

sthode3
Engager
‎03-14-2019 04:42 AM

I'm trying to get sysmon logs into my Splunk Enterprise formatted as json, but can't figure out how to get it setup.

I'm running a Windows 10 VM with Splunk Enterprise 7.2, Universal Forwarder 7.2, TA-microsoft-sysmon on the forwarder, and Sysmon version 9.

Enterprise etc\system\local\inputs.conf:

[default]
host = splunk-solo

Forwarder etc\apps\SplunkUF\local\inputs.conf

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true

Forwarder etc\system\local\outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 127.0.0.1:9997

[tcpout-server://127.0.0.1:9997]

TA-sysmon is on the forwarder, installed to etc\apps\TA-microsoft\sysmon.

Is there something I'm missing? I thought there was a json converter for sysmon, but haven't been able to find anything for it.

Reply

nickhills
Ultra Champion
‎03-15-2019 09:05 AM

You may have a problem in your UF outputs.conf

You have the loopback address of 127.0.0.1 in there - it should be the IP of your indexer:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = your_splunk_server_address:9997

[tcpout-server://your_splunk_server_address:9997]

Also (because you don't mention it), have you configured your indexer as a receiver?
Settings ->Forwarding and Receiving -> Receive Data

To get the json formatted logs you need to set a monitor stanza to collect the local json file from the UF.
You won't be able to pick this up with a WinEventLog stanza so you will need something like the below.
Also, this TA does not support this format of log, so it won't use the json data, but you can of course configure this to be collected in addition if there is value in it to you.

[monitor://C:\your_sysmon_json_path\json.log]
disabled = 0
sourcetype = your_sourcetype
index = your_index
If my comment helps, please give it a thumbs up!
Reply

gurulee
Explorer
‎10-07-2020 09:07 AM

Has anyone been able to get Wazuh alerts, which are in JSON format, to map/index with Splunk ES WinEventLog stanza or the  Windows TA app/add-on?

0 Karma
Reply

dstaulcu
Builder
‎03-14-2019 06:51 PM

Any particular reason you want to do it that way? I imagine you want to keep the format as native as possible (xml) in order to benefit from splunk apps or enterprise security content updates to detect events of concern.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...