Skip to main content

Enabling Sysmon on Windows with Splunk Universal Forwarder

This guide covers the complete setup of Sysmon with Splunk Universal Forwarder to avoid common access denied errors.

Prerequisites

  • Windows host with administrative access
  • Splunk Universal Forwarder installed
  • Sysmon executable downloaded

Installation Steps

1. Install Sysmon with Event Log Output

The -l flag is critical - it enables event log output which Splunk requires. 
# Install Sysmon with event log output enabled
C:\Path\To\Sysmon.exe -accepteula -i -l
# Verify installation
Get-Service -Name Sysmon
C:\Path\To\Sysmon.exe -c

2. Configure Event Log Permissions

By default, the Splunk service account (NT SERVICE\SplunkForwarder) cannot read the Sysmon event log. This causes error code 5 (Access Denied). 
# Set Splunk service SID type to unrestricted (required for group membership)
sc.exe sidtype SplunkForwarder unrestricted
# Add Splunk service account to Event Log Readers group
Add-LocalGroupMember -Group 'Event Log Readers' -Member 'NT SERVICE\SplunkForwarder'
# Restart Splunk to apply permissions
Restart-Service SplunkForwarder

3. Configure Splunk Inputs

Add Sysmon event log collection to your Splunk configuration. File: C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf 
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
index = windows
renderXml = true

4. Verify Configuration

# Check event log is accessible
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 5
# Check for errors in Splunk logs
Get-Content 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log' -Tail 50 | Select-String -Pattern 'ERROR.*Sysmon'
If configured correctly, you should see no errors and Sysmon events flowing to your indexer.

Common Issues

Error: “errorCode=5” - Access Denied

Cause: Splunk service account lacks permission to read Sysmon event log. Solution: Follow step 2 above to grant Event Log Readers permissions.

Error: “Could not subscribe to Windows Event Log channel”

Cause: Sysmon not installed with -l flag for event log output. Solution: Reinstall Sysmon: 
C:\Path\To\Sysmon.exe -u
C:\Path\To\Sysmon.exe -accepteula -i -l

Deployment with north.sh

For automated deployment across multiple Windows hosts: 
#!/bin/bash
# deploy-sysmon.sh
WINDOWS_HOST="$1"
SYSMON_PATH="C:\\Windows\\Sysmon.exe"
ssh "admin@${WINDOWS_HOST}" "powershell -Command \"
  # Install Sysmon
  ${SYSMON_PATH} -accepteula -i -l
  # Configure permissions
  sc.exe sidtype SplunkForwarder unrestricted
  Add-LocalGroupMember -Group 'Event Log Readers' -Member 'NT SERVICE\\SplunkForwarder'
  # Restart Splunk
  Restart-Service SplunkForwarder
  # Verify
  Get-Service Sysmon
\""
Usage: 
./deploy-sysmon.sh windows-host-01.north.sh

Validation

Confirm Sysmon events are being collected: 
# On Windows host
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -MaxEvents 1
# Check Splunk forwarding
Get-Content 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log' -Tail 100 | Select-String -Pattern 'Sysmon'
On your Splunk indexer/search head: 
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| stats count by EventCode

Key Takeaways

  1. Always use -l flag when installing Sysmon for Splunk integration
  2. Grant Event Log Readers permission to the Splunk service account immediately after install
  3. Set SID type to unrestricted before adding service accounts to groups
  4. Restart the Splunk service after permission changes to apply them Following these steps eliminates the common “Access Denied” errors and ensures reliable Sysmon event collection.