Sysmon Events not being forwarded to WEF after update from 13.31 to 14.14

Dobrowolski, Sascha 0 Reputation points
2023-03-31T14:07:43.7266667+00:00

Hi Guys...

after updating as documented (uninstalling Sysmon64 with -u) and reinstalling with the 14.14 version sysmon stopped sending logs to our WEF collection Server and the attached IBM SIEM.

The Sysmon64 service on the server itself seems to run fine though.

The new Sysmon64 V14.14 Service is successfully installed with our config file, doesnt report any errors while installing and logs are being written to Microsoft-Windows-Sysmon/Operational - all looking good.

I´ve even tried the the undocumented -t switch to show Sysmon debug output - no visible errors here.

Is there any way to debugg why the events are not being forwarded to the configured WEF Server?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,127 questions
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,087 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,941 Reputation points
    2023-04-03T12:38:47.3666667+00:00

    Hello there,

    Perhaps might be an permissions issue.

    This problem may occur when the following conditions are true:

    The Network Service account does not have the correct permission when Windows Remote Management (WinRM) tries to query the security logs from the source computer.

    Permissions to manage the security event log are modified by registry or by configuring the Manage auditing and Security log

    https://learn.microsoft.com/en-GB/troubleshoot/windows-server/system-management-components/security-event-log-forwarding-fails-error-0x138c-5004

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments