×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
whardy
New Member
Member since: ‎01-18-2023
‎12-02-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-18-2023
View All

Re: Can the Splunk Add-on for Sysmon work with a f...

by in Getting Data In
‎01-18-2023 06:55 AM
‎01-18-2023 06:55 AM
This is not an option since the file is constantly being updated with new logs and manually uploading the file is not an option. ... View more

Can the Splunk Add-on for Sysmon work with a file ...

by in Getting Data In
‎01-18-2023 01:41 AM
‎01-18-2023 01:41 AM
I would like to be able to configure the Splunk Add-on for Sysmon to ingest logs from a file instead of the Windows Event Log directly. The default input.conf in the Splunk Add-on for Sysmon App contains the following:  [WinEventLog://WEC-Sysmon] disabled = true renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = XmlWinEventLog:WEC-Sysmon host = WinEventLogForwardHost I tried to override the input like so: [monitor:///path/to/my_file/filename.log] disabled = false renderXml = 1 source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype = XmlWinEventLog:WEC-Sysmon host = WinEventLogForwardHost Unfortunately, it doesn't work and no logs appear to be sent by the Heavy Forwarder to my Indexer. the file I am using contains Windows Logs in a standard Windows Event Log XML format (1 per line). I want to be CIM compliant with my Sysmon logs but I cannot use a WinEventLog:// input, I have to use a file input. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-02-2025 05:36 AM