Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,132 questions
Sysmon Failing to write To Op log
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 64%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Brian Keller
0
Reputation points
I have one server of a couple thousand that won't run Sysmon. It is a 2012R2 box. The Event Viewer container is present with one entry in the op log that the config has changed. There is no service running and an system event message: The event logging service encountered an error (5) while enabling publisher {5770385f-c22a-43e0-bf4c-06f5698ffbd9} to channel Microsoft-Windows-Sysmon/Operational
I cannot uninstall as Sysmon is not seen as installed. I cannot install with the error: Configuration file validated.
wevtutil.exe returned failure
Event manifest installation failed with last error:
Cannot create a file when that file already exists.
Any help appreciated
Sysinternals
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 8%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jon 0 Reputation points2023-04-27T20:59:19.3133333+00:00 I had a similar issue. I was re installing sysmon and I was getting the same wevtutil error. My solution was that I had to remove the custom WINEVT publishers I was messing around with that didn't have a "MessageFileName" and "ResourceFileName". The publishers can be found at "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers"
Sign in to comment