I have actually the same problem that the SIEM did not understand or able to get the from the new manifest that Sysmon created at the point of installation. This may be a bug. But, the way I got around that is to used event forwarding to an event collector. Here's a link Setting up a Source Initiated Subscription (Windows) .This also helps when you want to deploy to a larger audience. In my case, when creating a subscription I had to save the logs to Applications. Then have the SIEM grab the logs from Application.
I have the SIEM agent on all my end devices and do not have any problems obtaining the sysmon logs as I can choose which Windows Event logs I want to collect in the agent. The problem I do have, is the SIEM does not parse the data correctly and therefore is not showing me data I want to see when I do filters and reports. Anyone have any ideas on this?
This is the way to do it.
Step 1: You should install Sysmon on all computers.
Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".
Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.
Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.
Step 5: Enable JSON parser on the device policy.
Could you please explain what you mean by "Enable JSON parser on the device policy"? How can I do it?