What needs to happen in order for SysmonTA to parse the Windows Sysmon Event Logs? Here is the output I get when I try to upload the file manually:
"Sourcetype XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
from the Sourcetype List"ElfFile\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."
List item
02/07/2018 08:25:27 PM
LogName=E:\Splunk\var\run\splunk\upload\A6BBADBE-19F4-4252-BDB1-5D5B748B5244
SourceName=Microsoft-Windows-Sysmon
EventCode=5
EventType=4
Type=Information
ComputerName=win-srv
User=SYSTEM
Sid=S-1-5-18
SidType=1
Category=5
CategoryString=none
RecordNumber=18
Message=
If I try to monitor the whole directory and select "Automatic" sourcetype determination, it will parse with "Elf\x00\x00."
as if it was plaintext log data.
I am using the default props/transforms files that are included with TASysmon version 6.07, and also tried version 6.05.
Here is what I have tried to fix:
Any help would be appreciated. I truly thought this would be a simpler task!
The add-on for Microsoft Systmon (https://splunkbase.splunk.com/app/1914) assumes that your sysmon events are forwarded by the splunk-wineventlog handler and rendered as xml. I can see from the value of the LogName field in your example that you are aggregating the input from an unexpected input source and thus the format is likely unhanded.
The add-on for Microsoft Systmon (https://splunkbase.splunk.com/app/1914) assumes that your sysmon events are forwarded by the splunk-wineventlog handler and rendered as xml. I can see from the value of the LogName field in your example that you are aggregating the input from an unexpected input source and thus the format is likely unhanded.
It appears that using the default "winevtx-preprocessor" source type in combination with installing Sysmon on the Splunk Server did the trick. If Sysmon is not installed, the events seem to either truncate after the "Message=" or Splunk will write an error into each event explaining it doesn't understand the event message format.
I can't say for certain if some of the other steps I mentioned before helped these parse, but fortunately it is working now.