Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't the Sysmon Technology Add-on Parsing my Sysmon Logs?

cbenn7
New Member
‎02-08-2018 01:30 PM

What needs to happen in order for SysmonTA to parse the Windows Sysmon Event Logs? Here is the output I get when I try to upload the file manually:

  1. I select - "Sourcetype XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" from the Sourcetype List
  2. Splunk displays error "Not Found"
  3. All I see in the Parsing Preview in the Right Pane is "ElfFile\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00..."
  4. If I try to leave the Sourcetype Picker at the default of win-event-preprocessor, it will only parse a fraction of the fields, for example:

  5. List item

    02/07/2018 08:25:27 PM
    LogName=E:\Splunk\var\run\splunk\upload\A6BBADBE-19F4-4252-BDB1-5D5B748B5244
    SourceName=Microsoft-Windows-Sysmon
    EventCode=5
    EventType=4
    Type=Information
    ComputerName=win-srv
    User=SYSTEM
    Sid=S-1-5-18
    SidType=1
    Category=5
    CategoryString=none
    RecordNumber=18
    Message=

  6. If I try to monitor the whole directory and select "Automatic" sourcetype determination, it will parse with "Elf\x00\x00." as if it was plaintext log data.

I am using the default props/transforms files that are included with TASysmon version 6.07, and also tried version 6.05.

Here is what I have tried to fix:

  • Adding a "local" directory with the same files as "default" in the app folder.
  • Changing the inputs in the local folder to monitor a particular directory with my Sysmon Log.
  • Adding the props/transforms from the Add-On to ../system/local folders

Any help would be appreciated. I truly thought this would be a simpler task!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dstaulcu
Builder
‎02-08-2018 04:11 PM

The add-on for Microsoft Systmon (https://splunkbase.splunk.com/app/1914) assumes that your sysmon events are forwarded by the splunk-wineventlog handler and rendered as xml. I can see from the value of the LogName field in your example that you are aggregating the input from an unexpected input source and thus the format is likely unhanded.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dstaulcu
Builder
‎02-08-2018 04:11 PM

The add-on for Microsoft Systmon (https://splunkbase.splunk.com/app/1914) assumes that your sysmon events are forwarded by the splunk-wineventlog handler and rendered as xml. I can see from the value of the LogName field in your example that you are aggregating the input from an unexpected input source and thus the format is likely unhanded.

0 Karma
Reply
Solved! Jump to solution

cbenn7
New Member
‎02-08-2018 06:26 PM

It appears that using the default "winevtx-preprocessor" source type in combination with installing Sysmon on the Splunk Server did the trick. If Sysmon is not installed, the events seem to either truncate after the "Message=" or Splunk will write an error into each event explaining it doesn't understand the event message format.

I can't say for certain if some of the other steps I mentioned before helped these parse, but fortunately it is working now.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...