Hi,
I'm using a splunk enterprise based in a docker image, the dashboard is getting all the default windows events but isn't getting sysmon events,
I've created the inputs.conf file in the local directory, in that file i'm forwarding both "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and "Microsoft-Windows-Windows-Sysmon/Operational" events, I see the Firewall events in the dashboard and see that as a source but I don't get any of the sysmon events and it doesn't show up as a source, I've confirmed that the events are in the event viewer on the client,
I have installed the application "Splunk Add-on for Sysmon", and in another seperate splunk enterprise docker image I tried installing the "Microsoft Sysmon Add-on" application,
In the inputs.conf file I have tried (on different instances):
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = false
or:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = main
renderXml = true
or:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
none have worked, I have installed the universal forwarder both manually and using the command line to rule out the quite install, I have even tried giving the forwarder service full admin rights to rule out issues accessing the logs , but I am still not getting any sysmon events in the dashboard,
what am I missing?
