- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- JSON formatted Sysmon in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JSON formatted Sysmon in Splunk
I'm trying to get sysmon logs into my Splunk Enterprise formatted as json, but can't figure out how to get it setup.
I'm running a Windows 10 VM with Splunk Enterprise 7.2, Universal Forwarder 7.2, TA-microsoft-sysmon on the forwarder, and Sysmon version 9.
Enterprise etc\system\local\inputs.conf:
[default]
host = splunk-solo
Forwarder etc\apps\SplunkUF\local\inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
Forwarder etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 127.0.0.1:9997
[tcpout-server://127.0.0.1:9997]
TA-sysmon is on the forwarder, installed to etc\apps\TA-microsoft\sysmon.
Is there something I'm missing? I thought there was a json converter for sysmon, but haven't been able to find anything for it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may have a problem in your UF outputs.conf
You have the loopback address of 127.0.0.1 in there - it should be the IP of your indexer:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = your_splunk_server_address:9997
[tcpout-server://your_splunk_server_address:9997]
Also (because you don't mention it), have you configured your indexer as a receiver?
Settings ->Forwarding and Receiving -> Receive Data
To get the json formatted logs you need to set a monitor stanza to collect the local json file from the UF.
You won't be able to pick this up with a WinEventLog stanza so you will need something like the below.
Also, this TA does not support this format of log, so it won't use the json data, but you can of course configure this to be collected in addition if there is value in it to you.
[monitor://C:\your_sysmon_json_path\json.log]
disabled = 0
sourcetype = your_sourcetype
index = your_index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone been able to get Wazuh alerts, which are in JSON format, to map/index with Splunk ES WinEventLog stanza or the Windows TA app/add-on?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any particular reason you want to do it that way? I imagine you want to keep the format as native as possible (xml) in order to benefit from splunk apps or enterprise security content updates to detect events of concern.
Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
