I got the following errors in my Splunk Error Logs:
Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).
I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?
inputs.conf:
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
Hi
It was due to the user being configured to run the Splunk forwarder Windows service. It was a local user account without the necessary rights. I changed it to a local system account and the events started to flow in.
Thanks,
Awni
May I ask how you changed the UF to run as System? Is it simply a case of setting SPLUNK_OS_USER in splunk-launch.conf like it would be on a linux host?
ie:
SPLUNK_OS_USER=SYSTEM
Thank you, and apologies if this is a really lame question.
Hey,
I had the same issue and I fixed it by changing the user through Services: