Splunk® Supported Add-ons

Splunk Add-on for Sysmon

Configure inputs for the Splunk Add-on for Sysmon

The Splunk Add-on for Sysmon contains:

  • WinEventLog://Microsoft-Windows-Sysmon/Operational input, which is enabled by default
  • WinEventLog://WEC-Sysmon, which requires enablement for the add-on to work in a WEF/WEC architecture.
  • To collect data, install your forwarders directly onto your Microsoft Windows endpoints or Windows Event Collector.
  • If you install Splunk forwarders directly on the endpoints, no additional action is required.
  • If you install the forwarders on Windows Event Collector:
    1. Go to Settings > Data Inputs > Remote event log collections
    2. Find and enable 'WEC-Sysmon' Event log collection
  • Make sure you collect Sysmon events in the WEC-Sysmon log or adjust the stanza name in inputs.conf
  • If you forward events from WEC server to its own sysmon channel, disable the WinEventLog://Microsoft-Windows-Sysmon/Operational input to avoid forwarding duplicate logs to Splunk.

.

For more information, see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.

Last modified on 21 June, 2024
Install the Splunk Add-on for Sysmon   Troubleshoot the Splunk Add-on for Sysmon

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters