Troubleshoot the Splunk Add-on for Sysmon
Troubleshoot the Splunk Add-on for Sysmon with the following troubleshooting tips and best practices.
If your Sysmon service is stopped, Microsoft-Windows-Sysmon/Operational EventLog becomes unavailable. After starting Sysmon again, restart your Splunk forwarders before any new events are fed into Splunk.
Update your running Sysmon configurations with the -c command line parameter and updated xml file instead of restarting the service with the -u and -i parameters. For example,
sysmon -c c:\windows\config.xml
Troubleshoot your version of Sysmon
On 64-bit platforms, you can use both 32-bit and 64-bit versions of the Sysmon executable. Depending on the version you choose, the sysmon or sysmon64 service name that is created, and sysmon or sysmon64 executable must be referred to in the command line.
Multiple Sysmon executables
More than one Sysmon executable might be present on the system/user PATH. When stopping or updating the service, make sure to use the same executable as was used for to start (installing) the Sysmon service or reference the full path to the same executable binary.
Extending the capability of new event types capture
The Sysmon upgrades' configuration file schema may change, extending the capability of new event types capture. Updating the xml configuration file used with previous Sysmon versions with new rules may not allow new event types capture. Review the new file schema when upgrading your Sysmon binary and rebuild your current configuration if necessary.
{new_sysmon.exe} -s
| Configure inputs for the Splunk Add-on for Sysmon | Lookups for the Splunk Add-on for Sysmon |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!