Skip to main content

Sysmon Setup for Splunk Universal Forwarder

Overview

This guide configures Sysmon event collection on Windows endpoints using Splunk Universal Forwarder for the north.sh platform.

Prerequisites

  • Windows endpoint with Splunk UF installed
  • Administrative access
  • Sysmon not yet installed

Installation Steps

1. Install Sysmon

Download and install Sysmon with SwiftOnSecurity’s configuration: 
# Download Sysmon
Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive -Path "$env:TEMP\Sysmon.zip" -DestinationPath "$env:TEMP\Sysmon" -Force
# Download recommended configuration
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -OutFile "$env:TEMP\sysmonconfig.xml"
# Install Sysmon (run as Administrator)
& "$env:TEMP\Sysmon\Sysmon64.exe" -accepteula -i "$env:TEMP\sysmonconfig.xml"

2. Configure Splunk UF Inputs

Edit %SPLUNK_HOME%\etc\system\local\inputs.conf and add: 
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true
[WinEventLog://Windows PowerShell]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true
[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true
[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = windows
renderXml = true

3. Restart Splunk UF

Restart-Service SplunkForwarder

4. Verify Data Collection

Search in Splunk (north.sh platform): 
index=windows source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| stats count by EventCode
| sort -count
Expected EventCodes: 1 (Process Create), 3 (Network), 7 (Image Load), 8 (CreateRemoteThread), etc.

Common Issues

Sysmon events not appearing:
  • Verify Sysmon service is running: Get-Service Sysmon64
  • Check Event Viewer for Sysmon/Operational logs
  • Ensure renderXml = true for proper field extraction Permission errors:
  • Run Splunk UF service as Local System (default)
  • Verify service account has event log read permissions

Configuration Notes

  • renderXml = true: Enables proper field extraction for all Windows events
  • start_from = oldest: Collects historical events (change to current for new events only)
  • checkpointInterval = 5: Prevents data loss during restarts
  • Default index is windows (adjust per north.sh requirements)

Sysmon Configuration Updates

To update Sysmon configuration without reinstalling: 
Sysmon64.exe -c new-config.xml
No Splunk restart required after Sysmon config updates.