As mentioned in the title above, collect command is not able to add an event to a source of an index. The collect command is able to add an event to sources like XmlWinEventLog:Security or XmlWinEventLog:Application but it is unable to add that same event to XmlWinEventLog:Microsoft-Windows-Sysmon/Operational. No error will be shown but the index won't have that event. Sample code is shown below.
| makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-12T04:12:31.706558800Z'/><EventRecordID>1352199</EventRecordID><Correlation/><Execution ProcessID='2296' ThreadID='4076'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-293.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-12 04:12:31.704</Data><Data Name='ProcessGuid'>{110B94A8-EA2F-604A-4C05-00000000B001}</Data><Data Name='ProcessId'>2288</Data><Data Name='Image'>C:\Windows\System32\cmd.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>C:\Windows\system32\cmd.exe /C quser</Data><Data Name='CurrentDirectory'>c:\windows\system32\inetsrv\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{110B94A8-E38E-604A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data Name='ParentProcessGuid'>{110B94A8-E45C-604A-3701-00000000B001}</Data><Data Name='ParentProcessId'>10332</Data><Data Name='ParentImage'>C:\Windows\System32\inetsrv\w3wp.exe</Data><Data Name='ParentCommandLine'>c:\windows\system32\inetsrv\w3wp.exe -ap 'MSExchangeOWAAppPool' -v 'v4.0' -c 'C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config' -a \\.\pipe\iisipm47dec653-b876-4ff7-964d-67331a8bd96f -h 'C:\inetpub\temp\apppools\MSExchangeOWAAppPool\MSExchangeOWAAppPool.config' -w '' -m 0</Data></EventData></Event>"
| collect index="some_index" host="some_host" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
Could it be due to minor breaker? Please do let me know the possible causes for this issue. Thanks!
Your test query worked for me. The collected event was written to the index and could be found with a search. Do you use quotation marks in the Real query? How do you try to find the event?
Yes I did use quotation mark in the real query. I tried to find the event by using the search command on that specific index and that specific host.