Getting Data In

Sysmon App and Add-on installation failure

state_larson_ti
Path Finder

I wanted to install Sysmon App for Splunk (App) and Microsoft Sysmon Add-on (Add-on) on my development server (Splunk 8.0.4.1).  I am running my development server on Ubuntu 18.04.4 LTS.

I thought it would be as easy as installing them both and looking at the Sysmon App for Splunk I would get no events when I submitted to see the last 24 hours. I noticed that I was getting events in Search, but none were making it to the App.  I was getting an error for field extractions that said

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions/source::XmlWinEventLog:Microsoft-Windows-Sysmon//Operational : REPORT-sysmon". [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/TA-microsoft-sysmon/data/props/extractions/source%253A%253A...; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=source%3A%3AXmlWinEventLog%3AMicrosoft-Windows-Sysmon//Operational : REPORT-sysmon\'}]')

I removed both the App and the Add-on, and started again.  It looked like the App did not require the Add-on, so I only installed the app.  I could then see several thousand sysmon messages in the App (Overview), but it did not look like any of the other tabs or panels were populating.  I also noticed that I "though" an XMLWinEventLog Source had appeared (before it was just the WinEventLogs that references sysmon.

I installed the Add-on, and then the app stopped displaying the sysmon messages in the overview total panel. I then removed the Add-on, and I can now see the Event Count and Event Count Over Time (in the Sysmon Overview), but none of the other tabs (Network Activity, Process Activity, etc) are populating.

I have 34,000 events in the source="WinEventLog:Microsoft-Windows-Sysmon/Operational" query.

I have 670 events in the source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" query over the same time period (last 24 hours).

In a somewhat desperate attempt I read through the Security Essentials docs on configuring Sysmon, and they recommended deploying the Add-on to the UF (on the windows box running sysmon).

I did configure and check that I was getting a LOT of events with sysmon.  I had used the information from SwiftonSecurity (https://github.com/SwiftOnSecurity/sysmon-config) to configure Sysmon on my test workstation.

My ultimate goal was to send sysmon information to Security Essentials so I could use that to detect suspicious activity.  With the add-on removed there are very few fields in either the XmlEventLogs or the WinEventLogs data sources.  I would love to have a direction to move forw

Labels (2)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...