Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sysmon events not getting indexed

corti77
Communicator
‎08-25-2023 02:26 AM

Hi,

I am deploying sysmon all acrros our company but for some reason the sysmon events are not getting indexed

Our deployment is the following:

  • Splunk 9.0.5 running on Windows server
    • sysmon index created manually in Splunk.
    • inbound firewall rules created allowing traffic TCP in port 9997
  • Sysmon TA installed in the server in C:\Program Files\Splunk\etc\deployment-apps\Splunk_TA_microsoft_sysmon
    • default/input.cont enabled (by default)

 

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = 1
source = XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
​

 

  • local/input.conf containing 

 

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
index=sysmon​

 

  • Splunk Universal forwarder 9.1.0 deployed in all hosts
    • All UF are reporting correctly to Splunk
    • confirmed that sysmon TA is present in all hosts , deployed via forwarder management using a server class
    • /etc/system/default/ouputs.conf is pointing to the right splunk server

 

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = xxxxxx:9997

[tcpout-server://xxxxxx:9997]​

 

  • Sysmon 15 deployed in all hosts
    • confirmed that the events are being created locally in the hosts in Microsoft-->Windows-->Sysmon tree

But no single event appears in the sysmon index 😞

Does anyone have any idea or suggestion of what might be missing?

many thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

corti77
Communicator
‎08-25-2023 08:26 AM

I finally found the reason. it was due to the user configured to run the Splunk forwarder windows service. It was a local user account without necessary rights. I changed it to local system account and the events started to flow in.

View solution in original post

Reply
Solved! Jump to solution

MaverickT
Communicator
3 weeks ago

If you want to run SplunkForwarder with virtual account (which is recommended if you want to follow princpile of the least privileges) there is also a way to enable reading of sysmon logs. NT SERVICE/SplunkFowarder needs to be added to Event Log Readers group.

One of the ways is to add it to the Group policy and deploy it accross your environment where your Forwarders are installed.

image.png

0 Karma
Reply
Solved! Jump to solution

arsidiq
New Member
‎09-21-2023 09:30 PM

I have the same issue, how do you all solve it guys?

0 Karma
Reply
Solved! Jump to solution

corti77
Communicator
‎09-22-2023 01:04 AM

in my case the issue was the user running the splunk universal forwarder service.

open  the services manager and check that, it should be SYSTEM or any user with local admin rights

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

corti77
Communicator
‎08-25-2023 08:26 AM

I finally found the reason. it was due to the user configured to run the Splunk forwarder windows service. It was a local user account without necessary rights. I changed it to local system account and the events started to flow in.

Reply
Solved! Jump to solution

Zer0sss
Loves-to-Learn Lots
‎09-21-2023 09:17 PM

hi @corti77 

I'm getting the same error, but my Splunk UF is running as Administrator

But I still get the same error. I wonder if there is any other way to fix this error ?

Thanks

0 Karma
Reply
Solved! Jump to solution

corti77
Communicator
‎09-22-2023 01:05 AM

try to configure it with the user SYSTEM. if the issue persists, check the local logs of the universal forwarder located in c:\program files\splunk\var\log\splunkd.log

0 Karma
Reply
Solved! Jump to solution

corti77
Communicator
‎08-25-2023 07:42 AM

I found the reason but not the solution. at the host level , the splunk forwarder does not have access to the sysmon event logs for some unknown reason.

 

any idea?

 

08-25-2023 16:34:02.254 +0200 ERROR ExecProcessor [1340 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::subscribeToEvtChannel: Could not subscribe to Windows Event Log channel 'Microsoft-Windows-Sysmon/Operational'
08-25-2023 16:34:02.254 +0200 ERROR ExecProcessor [1340 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-Sysmon/Operational': errorCode=5
0 Karma
Reply
Solved! Jump to solution

m_zandinia
Path Finder
‎03-11-2024 01:49 AM

Do you find any solution for this?

I have some UFs that run with local system and they can send sysmon logs but I have some UFs that run with virtual account and therefore they can't send sysmon logs.

I have the same message as you.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...