Hi, 

For some reason, I am failing to get any network monitoring data into my environment. I can successfully retrieve perfmon, script data, REST, and HEC. But as soon as I create a stanza with [WinNetMon://bla] nothing happens. 

This is the stanza I am now using. I am actually looking for a different process but this process is always present.

[WinNetMon://lsass]
disabled=0
addressFamily=ipv4
direction=inbound;outbound
interval=60
protocol=udp;tcp
index=uf_process
process=lsass
packetType=accept;connect;LostPacket

I even tried the minimum.

[WinNetMon://lsass]
disabled=0
index=uf_process

The app is deployed with the Windows Deployment server and it lands on the client just nicely. 

On the client, I pulled the following from the splunkd.log. 

09-22-2020 13:57:29.780 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"" splunk-netmon - NetmonStartDriver - StartService failure for splknetdrv! Error = -2144206839
09-22-2020 13:57:29.780 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"" splunk-netmon - NetmonAppDoMonitoring: Failed to open monitor device: 0x80320009
09-22-2020 13:57:29.780 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"" splunk-netmon - NetmonAppDoMonitoring: Error 0x80320009 occurred during execution

This shows up after the restart of the UF on the client. I can't seem to find the solution to this one? 

I tried to change the service the UF is running under from LOCAL SYSTEM ACCOUNT to a named account with local admin rights but it did not make any difference. It almost looks like the Windows client is missing something. This morning I removed the universal forwarder and installed the latest version. Still nothing.