What needs to happen in order for SysmonTA to parse the Windows Sysmon Event Logs? Here is the output I get when I try to upload the file manually:
I select - "Sourcetype XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" from the Sourcetype List
Splunk displays error "Not Found"
All I see in the Parsing Preview in the Right Pane is "ElfFile\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."
If I try to leave the Sourcetype Picker at the default of win-event-preprocessor, it will only parse a fraction of the fields, for example:
List item
02/07/2018 08:25:27 PM
LogName=E:\Splunk\var\run\splunk\upload\A6BBADBE-19F4-4252-BDB1-5D5B748B5244
SourceName=Microsoft-Windows-Sysmon
EventCode=5
EventType=4
Type=Information
ComputerName=win-srv
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=5
CategoryString=none
RecordNumber=18
Message=
If I try to monitor the whole directory and select "Automatic" sourcetype determination, it will parse with "Elf\x00\x00." as if it was plaintext log data.
I am using the default props/transforms files that are included with TASysmon version 6.07, and also tried version 6.05.
Here is what I have tried to fix:
Adding a "local" directory with the same files as "default" in the app folder.
Changing the inputs in the local folder to monitor a particular directory with my Sysmon Log.
Adding the props/transforms from the Add-On to ../system/local folders
Any help would be appreciated. I truly thought this would be a simpler task!
... View more