Collect command does not work for a certain source...

spl_asker · ‎11-01-2022

As mentioned in the title above, collect command is not able to add an event to a source of an index. The collect command is able to add an event to sources like XmlWinEventLog:Security or XmlWinEventLog:Application but it is unable to add that same event to XmlWinEventLog:Microsoft-Windows-Sysmon/Operational. No error will be shown but the index won't have that event. Sample code is shown below.

| makeresults | eval _raw="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-12T04:12:31.706558800Z'/><EventRecordID>1352199</EventRecordID><Correlation/><Execution ProcessID='2296' ThreadID='4076'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-293.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-12 04:12:31.704</Data><Data Name='ProcessGuid'>{110B94A8-EA2F-604A-4C05-00000000B001}</Data><Data Name='ProcessId'>2288</Data><Data Name='Image'>C:\Windows\System32\cmd.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>C:\Windows\system32\cmd.exe /C quser</Data><Data Name='CurrentDirectory'>c:\windows\system32\inetsrv\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{110B94A8-E38E-604A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data Name='ParentProcessGuid'>{110B94A8-E45C-604A-3701-00000000B001}</Data><Data Name='ParentProcessId'>10332</Data><Data Name='ParentImage'>C:\Windows\System32\inetsrv\w3wp.exe</Data><Data Name='ParentCommandLine'>c:\windows\system32\inetsrv\w3wp.exe -ap 'MSExchangeOWAAppPool' -v 'v4.0' -c 'C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config' -a \\.\pipe\iisipm47dec653-b876-4ff7-964d-67331a8bd96f -h 'C:\inetpub\temp\apppools\MSExchangeOWAAppPool\MSExchangeOWAAppPool.config' -w '' -m 0</Data></EventData></Event>" 
| collect index="some_index" host="some_host" sourcetype="xmlwineventlog" source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"

Could it be due to minor breaker? Please do let me know the possible causes for this issue. Thanks!

richgalloway · ‎11-01-2022

Your test query worked for me. The collected event was written to the index and could be found with a search. Do you use quotation marks in the Real query? How do you try to find the event?

---
If this reply helps you, Karma would be appreciated.

spl_asker · ‎11-02-2022

Yes I did use quotation mark in the real query. I tried to find the event by using the search command on that specific index and that specific host.

Collect command does not work for a certain source in an index?

troubleshooting

using Enterprise Security

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?