Skip to content

Troubleshoot the Splunk Add-on for Sysmon

Troubleshoot the Splunk Add-on for Sysmon with the following troubleshooting tips and best practices.

If your Sysmon service is stopped, Microsoft-Windows-Sysmon/Operational EventLog becomes unavailable. After starting Sysmon again, restart your Splunk forwarders before any new events are fed into Splunk.

Update your running Sysmon configurations with the -c command line parameter and updated xml file instead of restarting the service with the -u and -i parameters. For example, sysmon -c c:\windows\config.xml

Troubleshoot your version of Sysmon

On 64-bit platforms, you can use both 32-bit and 64-bit versions of the Sysmon executable. Depending on the version you choose, the sysmon or sysmon64 service name that is created, and sysmon or sysmon64 executable must be referred to in the command line.

Multiple Sysmon executables

More than one Sysmon executable might be present on the system/user PATH. When stopping or updating the service, make sure to use the same executable as was used for to start (installing) the Sysmon service or reference the full path to the same executable binary.

Extending the capability of new event types capture

The configuration file schema of Sysmon upgrades may change, extending the capability of new event types capture. Updating the xml configuration file used with previous Sysmon versions with new rules may not allow new event types capture. Review the new file schema when upgrading your Sysmon binary and rebuild your current configuration if necessary.

{new_sysmon.exe} -s

Filter out unwanted events

To improve performance and reduce unnecessary data, filter out unwanted events at the Sysmon level using configuration files. The Splunk Add-on for Sysmon supports events as defined in the default documentation. Filtering data as early as possible, directly in Sysmon, is the recommended approach. Relying on workarounds or filtering later may cause performance issues. Review and update your Sysmon configuration to include only the events relevant to your environment.