most likely a SIEM collector is required for getting sysmon logs.
you are right , thanks
but why it's only work with "windows event logs - WMI " ? this parser is bad !
i want to build the parser so i set " windows event logs - CEF " but now i don't recive the logs
why is that ?
how can i build my on parser for windows event logs?
The SIEM, and parser is fine. It's the configuration that needs attention.
1. Confirm you are logging so that your logs are actually available via WMI
- Open Powershell on the host in question, and type> GetEventLog - List
Post your results, we will go to the next step.
Azure Information Protection
Key Management Service
QPM Event Log
Symantec Endpoint Protection Client
the log that i want is not here...
in event logs it's under application and services logs -> microsoft -> windows - > sysmon