Troubleshoot the Splunk Add-on for Sysmon¶
Troubleshoot the Splunk Add-on for Sysmon with the following troubleshooting tips and best practices.
If your Sysmon service is stopped, Microsoft-Windows-Sysmon/Operational EventLog becomes unavailable. After starting Sysmon again, restart your Splunk forwarders before any new events are fed into Splunk.
Update your running Sysmon configurations with the -c command line
parameter and updated xml file instead of restarting the service with
the -u and -i parameters. For example,
sysmon -c c:\windows\config.xml
Troubleshoot your version of Sysmon¶
On 64-bit platforms, you can use both 32-bit and 64-bit versions of the
Sysmon executable. Depending on the version you choose, the sysmon or
sysmon64 service name that is created, and sysmon or sysmon64
executable must be referred to in the command line.
Multiple Sysmon executables¶
More than one Sysmon executable might be present on the system/user
PATH. When stopping or updating the service, make sure to use the same
executable as was used for to start (installing) the Sysmon service or
reference the full path to the same executable binary.
Extending the capability of new event types capture¶
The configuration file schema of Sysmon upgrades may change, extending the capability of new event types capture. Updating the xml configuration file used with previous Sysmon versions with new rules may not allow new event types capture. Review the new file schema when upgrading your Sysmon binary and rebuild your current configuration if necessary.
{new_sysmon.exe} -s