Splunk Enterprise

How to ingest exported sysmon logs to Splunk?

mawni
Engager

Hello Guys

I'm trying to ingest exported sysmon logs file to Splunk. I got the file from Splunk attack_data repository. I have already installed Microsoft sysmon add-ons.

Splunk attack_data's link: 

 

Every time when I choose xmlWinEventLog:Microsoft-Windows-Sysmon/Operational as a source type, it gives me error Not found.  appreciate your support, how can I ingest exported sysmon logs to splunk?

 

Thanks, Awni

Labels (1)
0 Karma

Albert_Cyber
Explorer

Did you ever find a solution for this? Looking at the below documentation it seems that this is not supported https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/Uploaddata

0 Karma

richgalloway
SplunkTrust
SplunkTrust

On which Splunk instance(s) did you install the sysmon add-ons?

There is no link in the question.

What exactly are you trying to do when you choose xmlWinEventLog:Microsoft-Windows-Sysmon/Operational as a source type?  What are you choosing it from?  Which Splunk instance are you using at the time?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...