none
Sysmon events corrupted when forwarded via WEF RRS feed

  • Question

  • Hi!

    I'm having a strange issue where events forwarded by WEF to a collector, the data values in the events are skewed.

    This is only if the "RuleName" field is empty.

    XML looks fine, but the "General" view (which Splunk Universal Forwarder will forward to Splunk) things are skewed and UtcTime values are shifted under "RuleName" instead, and so on.

    I have tried changing locale and ContentFormat on the subscription, same thing.

    I have sysmon installed on the Event Collector.

    OS language is Norwegian in both forwarder and collector.

    Events are forwarded to "Forwarded Events". Only sysmon events are forwarded.

    Anyone have any idea what's going on and how to fix this?

    Regards, Benjamin

    Sorry for not inserting the images, but seems I cant post links/images before my account has been verified..

    https://i.imgur.com/WcqAUtF.png

    https://i.imgur.com/DiPabLt.png

    https://i.imgur.com/3xbJUPr.png

    https://i.imgur.com/FlrJx8J.png







    Tuesday, March 10, 2020 2:06 PM

All replies

  • Hi Benjamin

    this has been reported before and is already on our backlog but remains unresolved. I have flagged it for including in this month's backlog review.

    Could you ping me at syssite@microsoft.com and send the images you were unable to upload?

    MarkC(MSFT)

    Wednesday, March 18, 2020 12:22 PM
  • Hi Mark,

    Thank you for the reply!

    I'll send the pictures your way.

    Is this an error in Sysmon or is it in the WEF component?

    Tuesday, March 24, 2020 8:05 AM
  • Update on this issue. It has been resolved and the fix will be available in Sysmon 11 which we will be publishing in the next day or so

    MarkC(MSFT)

    Monday, April 27, 2020 3:31 PM
  • Hi Mark,


    We tried the latest version, and it did solve the issues we were having.

    Thanks a bunch!

    Thursday, April 30, 2020 12:10 PM
  • Excellent. And thanks for the update. I'd like to take the credit but Mark Russinovich fixed that one himself :-)

    MarkC(MSFT)

    Tuesday, May 5, 2020 7:50 AM