Sysmon service is running and generating events that I see in Event Viewer. I've add the channel: Microsoft-Windows-Sysmon/Operational on the Log Collector. But I don't see Sysmon logs in Netwitness Investigate. I see logs from other channels. Is this a parser issue? Any help would be appreciated.
No, I don't see sysmon logs under the unknown device type or anywhere else.
No winrm logs on the collector.
HI Jay Alexander,
Please grant additional permissions to custom channel in windows server. This document 000038047 - Windows logs are not coming to RSA NetWitness Platform due to "bookmark as 1" errors has steps for security channel.
on Sep 10, 2020
Jay
Do you see them at all from an unknown device type perspective? Are there any errors in the log collector winrm logs?
Dave