I'm trying to get sysmon logs into my Splunk Enterprise formatted as json, but can't figure out how to get it setup.
I'm running a Windows 10 VM with Splunk Enterprise 7.2, Universal Forwarder 7.2, TA-microsoft-sysmon on the forwarder, and Sysmon version 9.
Enterprise etc\system\local\inputs.conf:
[default]
host = splunk-solo
Forwarder etc\apps\SplunkUF\local\inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
Forwarder etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 127.0.0.1:9997
[tcpout-server://127.0.0.1:9997]
TA-sysmon is on the forwarder, installed to etc\apps\TA-microsoft\sysmon.
Is there something I'm missing? I thought there was a json converter for sysmon, but haven't been able to find anything for it.
... View more