Forwarding Sysmon logs to Splunk

System Monitor (Sysmon) is a Windows service and device driver that remains active across system reboots to monitor and log system activities in the Windows event log. It provides detailed insights into process creations, network connections, and changes to file creation times. By collecting events generated by Sysmon through Splunk and analyzing them, you can detect malicious or unusual activities and understand how intruders and malware operate on your network.

Refer to the Splunk installation and configuration guide to download a Universal Forwarder on your Windows machine.

First, download Sysmon using the following command: curl -L -o Sysmon.zip https://download.sysinternals.com/files/Sysmon.zip. Extract the file using: tar -xf Sysmon.zip.

To install Sysmon on your machine, run the command: sysmon.exe --accepteula -i.

Next, we will configure the inputs.conf file to forward Sysmon logs to Splunk. One issue I encountered was that the Universal Forwarder did not have administrative rights on my system. Ensure that your Universal Forwarder is part of the Administrators group on your computer to allow these logs to be sent to your Splunk instance.

Navigate to the C:\Program Files\SplunkUniversalForwarder\etc\system\local directory. Edit your inputs.conf file using: notepad.exe inputs.conf.

Then, go to the C:\Program Files\SplunkUniversalForwarder\bin directory and run splunk.exe restart to restart the Universal Forwarder. After completing this step, go to your Splunk instance's search bar and enter index=main source="WinEventLog:Microsoft-Windows-Sysmon/Operational" to identify your Sysmon logs.

Keep in mind that we are still using the default Sysmon configuration file from Microsoft. To look for specific log types or enable more events, you can use a custom configuration file. My favorite is from SwiftOnSecurity's sysmon-config.

Clone the directory with: git clone https://github.com/SwiftOnSecurity/sysmon-config.git.

Navigate to the directory where the configuration file is stored (preferably where Sysmon was installed) and run sysmon.exe -c sysmonconfig-export.xml to update your configuration file.