Hello,
I am trying to log the Sysmon/Operational Windows event logs via the Sysmon TA app:
[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index=wineventlog
But when I push the app to the Universal Forwarders on my Windows boxes, I am receiving the error:
Received event for unconfigured/disabled/deleted index="wineventlog" with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::XX" sourcetype="sourcetype::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).
The challenge is that the index does exist and is enabled:
![alt text][1]
It was originally created by the Windows TA app, so I deleted it, recreated it, put it in indexes.conf, but nothing. I cannot see the issue.
Any help would be appreciated.
[1]: /storage/temp/106172-wineventlog.png
↧