Why the ErrorCode 5 when trying to forward Sysmon ...

pck1983 · ‎09-16-2023

I got the following errors in my Splunk Error Logs:

Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5

The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).

I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?

inputs.conf:

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0

mawni · ‎11-27-2023

Hi

It was due to the user being configured to run the Splunk forwarder Windows service. It was a local user account without the necessary rights. I changed it to a local system account and the events started to flow in.

Thanks,

Awni

gazoscreek · ‎10-11-2024

May I ask how you changed the UF to run as System? Is it simply a case of setting SPLUNK_OS_USER in splunk-launch.conf like it would be on a linux host?

ie:
SPLUNK_OS_USER=SYSTEM

Thank you, and apologies if this is a really lame question.

soberocean · ‎10-24-2024

Hey,

I had the same issue and I fixed it by changing the user through Services:

Why the ErrorCode 5 when trying to forward Sysmon logs (unable to subscribe)?

universal forwarder

Windows

Get Operational Insights Quickly with Natural Language on the Splunk Platform

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Are you a member of the Splunk Community?