- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal Forwarder not sending Sysmon logs to docker image of splunk enterprise
Hi,
I'm using a splunk enterprise based in a docker image, the dashboard is getting all the default windows events but isn't getting sysmon events,
I've created the inputs.conf file in the local directory, in that file i'm forwarding both "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and "Microsoft-Windows-Windows-Sysmon/Operational" events, I see the Firewall events in the dashboard and see that as a source but I don't get any of the sysmon events and it doesn't show up as a source, I've confirmed that the events are in the event viewer on the client,
I have installed the application "Splunk Add-on for Sysmon", and in another seperate splunk enterprise docker image I tried installing the "Microsoft Sysmon Add-on" application,
In the inputs.conf file I have tried (on different instances):
or:
or:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
none have worked, I have installed the universal forwarder both manually and using the command line to rule out the quite install, I have even tried giving the forwarder service full admin rights to rule out issues accessing the logs , but I am still not getting any sysmon events in the dashboard,
what am I missing?
