Skip to content

Configure inputs for the Splunk Add-on for Sysmon

The Splunk Add-on for Sysmon contains:

  • WinEventLog://Microsoft-Windows-Sysmon/Operational input, which is enabled by default.

  • WinEventLog://WEC-Sysmon, which requires enablement for the add-on to work in a WEF/WEC architecture.

  • To collect data, install your forwarders directly onto your Microsoft Windows endpoints or Windows Event Collector.

  • If you install Splunk forwarders directly on the endpoints, no additional action is required.
  • If you install the forwarders on Windows Event Collector:
    1. Go to Settings > Data Inputs > Remote event log collections.
    2. Find and enable ‘WEC-Sysmon’ Event log collection.
  • Make sure you collect Sysmon events in the WEC-Sysmon log or adjust the stanza name in inputs.conf
  • If you forward events from WEC server to its own sysmon channel, disable the WinEventLog://Microsoft-Windows-Sysmon/Operational input to avoid forwarding duplicate logs to Splunk.

For more information, see Inputsconf.