Splunk® Supported Add-ons

Splunk Add-on for Sysmon for Linux

Troubleshoot the Splunk Add-on for Sysmon For Linux

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Events fail to show

If events fail to show after disabling input for the Add-on for Linux Sysmon. Go to the instance where add-on is installed and run:

setfacl -n -m u:splunk:r /var/log/journal/*/system.journal

If events still show under "sysmon_linux" sourcetype, go to Settings > Data inputs > Systemd Journald Input for Splunk > sysmon and change the sourcetype to "sysmon:linux".

Last modified on 17 November, 2022
Migrate from Add-on for Linux Sysmon to the Splunk Add-on for Sysmon for Linux   Sysmon product comparisons

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters