Injesting sysmon logs via Elastic API and events are getting dropped

Question

Hi, I am trying to ingest sysmon logs via the Elastic api. But i do not see any live data but instead i get all dropped counts. Can anyone help?

itsjustjordyn · Answer

Hey @Joel Yue I just want to be sure I am understanding your use case. Are you using the Elasticsearch API (Source) to pull sysmon logs from Elasticsearch and you aren't observing any data?

If the aforementioned is correct, can you provide a sanitized version of the input/source config here and any error logs?

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded