SYSMON LOGS WEF - Supported ?


SYSMON LOGS WEF - Supported ?

anthony.dolce@paradigmcorp.com

I am trying to use WEF to forward Sysmon logs but the local PC cannot subscribe and gets an error The subscription MSSYSMON can not be created. The error code is 5004.     All other log types are working.  I opened a ticket with Microsoft support and they said Sysmon logs are not supported for Event forwarding.   They gave the following reason below.   Is this accurate ?

""The SYSMon logs cannot be forwarded using WEF , since it has it is own service and this service run locally and it is not part of windows event forwarding service ,  the windows event forwarding uses the windows event collector service to collect and send logs ""


RandyFranklinSmith

I am trying to use WEF to forward Sysmon logs but the local PC cannot subscribe and gets an error The subscription MSSYSMON can not be created. The error code is 5004.     All other log types are working.  I opened a ticket with Microsoft support and they said Sysmon logs are not supported for Event forwarding.   They gave the following reason below.   Is this accurate ?

""The SYSMon logs cannot be forwarded using WEF , since it has it is own service and this service run locally and it is not part of windows event forwarding service ,  the windows event forwarding uses the windows event collector service to collect and send logs ""


No, they have no idea what they are talking about as usual.  Is this posted somewhere public where we can correct it?  You just need to get the Xpath query right.  I'll send you an example.



RandyFranklinSmith

RandyFranklinSmith - 6/16/2017
I am trying to use WEF to forward Sysmon logs but the local PC cannot subscribe and gets an error The subscription MSSYSMON can not be created. The error code is 5004.     All other log types are working.  I opened a ticket with Microsoft support and they said Sysmon logs are not supported for Event forwarding.   They gave the following reason below.   Is this accurate ?

""The SYSMon logs cannot be forwarded using WEF , since it has it is own service and this service run locally and it is not part of windows event forwarding service ,  the windows event forwarding uses the windows event collector service to collect and send logs ""


No, they have no idea what they are talking about as usual.  Is this posted somewhere public where we can correct it?  You just need to get the Xpath query right.  I'll send you an example.



The filter you should use is this.  BE CAREFUL with copy and paste.  Sometimes Unicode and code pages and all that cause invisible invalid characters to get into the filter when you copy from html to EventViewer or Supercharger.  It's really safest to create the filter in EventViewer on a computer that has sysmon installed and copy and paste from here.  But here goes:

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
  </Query>
</QueryList>      

Here's proof that Sysmon events CAN be forwarded.  I created a custom event log on the collector via Supercharger and you see the sysmon events showing up in it having forwarded from my workstation where I have sysmon installed. 




anthony.dolce@paradigmcorp.com

The Microsoft tech only posted it in email so no-one else will see it..  I've challenged the tech and attempted to escalate but he insists it is not supported.  

As to my problem,  Unfortunately that was the query string I had been using.    I just created a new event log and subscription in supercharger and get the same error.    Perhaps it is a permission on the local event log on the PC that cannot be read ?
RandyFranklinSmith

Is the source computer successfully subscribing to any other subscriptions from the same collector?  And how did you enter the query?  I've beat my head against the wall before from it being some kind of invisible "bad" character.


RandyFranklinSmith

RandyFranklinSmith - 6/16/2017

Is the source computer successfully subscribing to any other subscriptions from the same collector?  And how did you enter the query?  I've beat my head against the wall before from it being some kind of invisible "bad" character.


And I assume that sysmon is definitely installed on that source computer?  That the sysmon log exists on it in the same path?

anthony.dolce@paradigmcorp.com

Here is the local machine and the subscription:






anthony.dolce@paradigmcorp.com

Here is the local machine and the subscription:






Also all the other subscriptions are working.    I entered the XML by a copy and paste.   I attempted both copy paste the string from this forum above and from the filter xml string on my PC.
anthony.dolce@paradigmcorp.com

Here is the local machine and the subscription:






Microsoft has just come back with a higher level expert on WEF who apologized for the first guy.   They are working on it now as a permissions issue.
RandyFranklinSmith

Huh, I do not know why you are running into an issue.  Please share the solution if you come up with it.  I can't reproduce it here.  Say, what's the version of Windows on the source computer?


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search