I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk 18.104.22.168). I am running my development server on Ubuntu 18.04.4 LTS.
I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App. I was getting an error for field extractions that said
I removed both the App and the Add-on, and started again. It looked like the App did not require the Add-on, so I only installed the app. I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating. I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.
I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.
I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.
I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).
In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).
My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity. With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources. I would love to have a direction to move forw