Importing sysmon logs into Splunk

pck1983 · ‎09-14-2023

Hello,

I have installed sysmon and I try to send it with a UniversalForwarder on that machine to my Splunk-Indexer and Search-Head...

I have tryed to add

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0

[WinEventLog://"Applications and Services Logs/Microsoft/Windows/Sysmon/Operational"]
disabled = 0

[WinEventLog://Applications and Services Logs/Microsoft/Windows/Sysmon/Operational]
disabled = 0

to the inputs.conf, but non of that versions worked...

I have also restarted the UniversalForwarder and the Indexer / Search-Head has the Sysmom app installed.

What am I doing wong?!

PS.: Sysmon is running and I see the logged data in the Eventviewer of that machine...

pck1983 · ‎09-14-2023

I got the following errors in my Splunk Error Logs:

Failed to find Event Log with channel name=Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5

Importing sysmon logs into Splunk

administration

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Importing sysmon logs into Splunk

administration

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions