Configure inputs for the Splunk Add-on for Sysmon
The Splunk Add-on for Sysmon contains:
- WinEventLog://Microsoft-Windows-Sysmon/Operational input, which is enabled by default
- WinEventLog://WEC-Sysmon, which requires enablement for the add-on to work in a WEF/WEC architecture.
- To collect data, install your forwarders directly onto your Microsoft Windows endpoints or Windows Event Collector.
- If you install Splunk forwarders directly on the endpoints, no additional action is required.
- If you install the forwarders on Windows Event Collector:
- Go to Settings > Data Inputs > Remote event log collections
- Find and enable 'WEC-Sysmon' Event log collection
- Make sure you collect Sysmon events in the WEC-Sysmon log or adjust the stanza name in inputs.conf
- If you forward events from WEC server to its own sysmon channel, disable the WinEventLog://Microsoft-Windows-Sysmon/Operational input to avoid forwarding duplicate logs to Splunk.
For more information, see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.
Install the Splunk Add-on for Sysmon
Troubleshoot the Splunk Add-on for Sysmon
This documentation applies to the following versions of Splunk® Supported Add-ons: released