I'm trying to get sysmon logs into my Splunk Enterprise formatted as json, but can't figure out how to get it setup.
I'm running a Windows 10 VM with Splunk Enterprise 7.2, Universal Forwarder 7.2, TA-microsoft-sysmon on the forwarder, and Sysmon version 9.
Enterprise etc\system\local\inputs.conf:
[default]
host = splunk-solo
Forwarder etc\apps\SplunkUF\local\inputs.conf
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
Forwarder etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 127.0.0.1:9997
[tcpout-server://127.0.0.1:9997]
TA-sysmon is on the forwarder, installed to etc\apps\TA-microsoft\sysmon.
Is there something I'm missing? I thought there was a json converter for sysmon, but haven't been able to find anything for it.
You may have a problem in your UF outputs.conf
You have the loopback address of 127.0.0.1
in there - it should be the IP of your indexer:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = your_splunk_server_address:9997
[tcpout-server://your_splunk_server_address:9997]
Also (because you don't mention it), have you configured your indexer as a receiver?
Settings ->Forwarding and Receiving -> Receive Data
To get the json formatted logs you need to set a monitor stanza to collect the local json file from the UF.
You won't be able to pick this up with a WinEventLog stanza so you will need something like the below.
Also, this TA does not support this format of log, so it won't use the json data, but you can of course configure this to be collected in addition if there is value in it to you.
[monitor://C:\your_sysmon_json_path\json.log]
disabled = 0
sourcetype = your_sourcetype
index = your_index
Has anyone been able to get Wazuh alerts, which are in JSON format, to map/index with Splunk ES WinEventLog stanza or the Windows TA app/add-on?
Any particular reason you want to do it that way? I imagine you want to keep the format as native as possible (xml) in order to benefit from splunk apps or enterprise security content updates to detect events of concern.