00Purpose
Set up proper ingestion and parsing of Sysmon logs from Windows Server 2025 into Splunk Free using the Universal Forwarder and the official Splunk Add-on for Sysmon (v5.0.0).
01Environment Overview
| Component | Details |
|---|---|
| Target Server | Windows Server 2025 |
| Sysmon | Installed and running in Smart Mode (low noise configuration) |
| Universal Forwarder | Installed on Windows Server 2025 |
| Splunk Instance | Splunk Free Edition (single-instance setup) |
| Index | wineventlog |
| Sysmon Input Config | Already added with renderXml = true |
02Status Before Add-on Installation
- Sysmon events were being collected via the Universal Forwarder.
-
Events arriving in Splunk showing as generic sourcetype (
xmlwineventlog). -
No proper field extractions for key Sysmon fields:
- Splunk Free UI blocked "Manage Apps" due to missing Auth license feature.
03Download & Extraction Process
| Field | Value |
|---|---|
| Add-on Name | Splunk Add-on for Microsoft Sysmon |
| Version | 5.0.0 |
| Downloaded File | C:\Tools\Sysmon\splunk-add-on-for-sysmon_500.tgz |
| Source | splunkbase.splunk.com/app/5709 |
Extraction Steps
Input: splunk-add-on-for-sysmon_500.tgz → Output: Splunk_TA_microsoft_sysmon-5.0.0.tar
Tool: Windows built-in Extract All or 7-Zip
Input: Splunk_TA_microsoft_sysmon-5.0.0.tar → Output: Splunk_TA_microsoft_sysmon-5.0.0\
Tool: Windows built-in Extract All or 7-Zip
Extracted Folder Structure
📁 default\
📁 metadata\
04Installation Steps on Splunk Free
etc\apps\ followed by a restart is the reliable workaround.Copy the entire extracted folder to the Splunk apps directory.
Source: Splunk_TA_microsoft_sysmon-5.0.0\
Destination: C:\Program Files\Splunk\etc\apps\
PowerShellCopy-Item -Recurse "Splunk_TA_microsoft_sysmon-5.0.0" "C:\Program Files\Splunk\etc\apps\"
Restart Splunk using PowerShell (Run as Administrator) to load the new add-on.
PowerShellcd "C:\Program Files\Splunk\bin"
.\splunk.exe restart
Optionally install the same add-on on the Universal Forwarder for improved local parsing and field extraction at the source.
Destination: C:\Program Files\SplunkUniversalForwarder\etc\apps\
PowerShellCopy-Item -Recurse "Splunk_TA_microsoft_sysmon-5.0.0" "C:\Program Files\SplunkUniversalForwarder\etc\apps\"
cd "C:\Program Files\SplunkUniversalForwarder\bin"
.\splunk.exe restart
05Verification
Open Splunk Web at http://localhost:8000 and confirm the add-on appears in the Apps list.
Run a search to verify the sourcetype has changed correctly.
SPLindex=wineventlog source=*sysmon*
| stats count by sourcetype source
XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalVerify that key Sysmon fields are being extracted properly.
SPLindex=wineventlog sourcetype=*sysmon*
| table _time host EventCode Image CommandLine ParentImage ProcessId hashes DestinationIp
Expected fields populated:
06Lessons Learned
The "Manage Apps → Install app from file" feature in Splunk Free is disabled because it requires the Auth license feature not included in the free tier.
Resolution: Manual folder copy to etc\apps\ and Splunk restart.
The download is a .tgz file which must be extracted twice: .tgz → .tar, then .tar → folder.
Resolution: Use 7-Zip or Windows built-in Extract All for each layer.
The renderXml = true setting in the Universal Forwarder's inputs.conf is essential. Without it, the Sysmon add-on cannot properly parse the incoming events.
Resolution: Ensure inputs.conf on the Forwarder includes renderXml = true for the Sysmon input.
Both PowerShell and Command Prompt work reliably for restarting Splunk and the Universal Forwarder.
Resolution: N/A — either CLI tool works.
07Next Steps
config.xml to reduce event noise and stay within Splunk Free's 500 MB/day indexing limit.
Create a dedicated index (e.g., sysmon) to separate Sysmon events from other Windows event log data for easier searching and retention management.
SPLindex=sysmon
Create basic dashboards in Splunk for key Sysmon event codes:
Investigate Splunk Security Content detections and analytics that leverage Sysmon data for threat detection use cases.