Why the ErrorCode 5 when trying to forward Sysmon ...

pck1983 · ‎09-16-2023

I got the following errors in my Splunk Error Logs:

Init failed, unable to subscribe to Windows Event Log channel Microsoft-Windows-Sysmon/Operational: errorCode=5

The UniversalForwarder is installed on a Windows 10 Desktop (not part of a Doamin).

I can see Sysmon logging in the eventlog viewer and I can forward the System and Security logs but not the Sysmon logs. What do I overlook here?

inputs.conf:

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = 0

mawni · ‎11-27-2023

Hi

It was due to the user being configured to run the Splunk forwarder Windows service. It was a local user account without the necessary rights. I changed it to a local system account and the events started to flow in.

Thanks,

Awni

Why the ErrorCode 5 when trying to forward Sysmon logs (unable to subscribe)?

universal forwarder

Windows

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!