NetWitness Community

TuongPham · ‎2022-06-15

Hello

I'm having problem collecting Sysmon Logs via WinRM. Sysmon service is running and generating events in Eventviewer. When I added the channel: Microsoft-Windows-Sysmon/Operational on the Log Collector, the test connection displayed "Channel specification may be incorrect" error. I can add and collect logs from other channels except for Sysmon. Is there a way to solve this issue ?

Thank you !

VincentWareham · ‎2022-06-15

Hello Tuong

Others have been able to resolve this by adding the NETWORK SERVICE local user account to the Event Log Readers group.
Can add this from cmd prompt which is Run as administrator

net localgroup "Event Log Readers" "NT Authority\Network Service" /add

Restart the Windows server.

Make sure the user running the command is a local Admin account and is part of the Event Log Readers group.

View solution in original post

VincentWareham · ‎2022-06-15

Hello Tuong

Others have been able to resolve this by adding the NETWORK SERVICE local user account to the Event Log Readers group.
Can add this from cmd prompt which is Run as administrator

net localgroup "Event Log Readers" "NT Authority\Network Service" /add

Restart the Windows server.

Make sure the user running the command is a local Admin account and is part of the Event Log Readers group.