Why the ErrorCode 5 when trying to forward Sysmon ...

pck1983 · ‎09-16-2023

I got the following errors in my Splunk Error Logs:

Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5

The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).

I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?

inputs.conf:

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0

mawni · ‎11-27-2023

Hi

It was due to the user being configured to run the Splunk forwarder Windows service. It was a local user account without the necessary rights. I changed it to a local system account and the events started to flow in.

Thanks,

Awni

gazoscreek · ‎10-11-2024

May I ask how you changed the UF to run as System? Is it simply a case of setting SPLUNK_OS_USER in splunk-launch.conf like it would be on a linux host?

ie:
SPLUNK_OS_USER=SYSTEM

Thank you, and apologies if this is a really lame question.

soberocean · ‎10-24-2024

Hey,

I had the same issue and I fixed it by changing the user through Services:

Why the ErrorCode 5 when trying to forward Sysmon logs (unable to subscribe)?

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation