I got the following errors in my Splunk Error Logs:
Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5
The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).
I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?
inputs.conf:
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0
Hi
It was due to the user being configured to run the Splunk forwarder Windows service. It was a local user account without the necessary rights. I changed it to a local system account and the events started to flow in.
Thanks,
Awni