- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache Tomcat
- 45. APC Automatic Transfer Switch
- 46. Apple macOS kernel
- 47. ArcSight Common Event Format (CEF)
- 48. Box
- 49. Brocade Switches
- 50. Browser History Logs
- 51. Check Point
- 52. Cisco ACS
- 53. Cisco ASA
- 54. Cisco FireSIGHT
- 55. Cisco IPS
- 56. Cloud Instance Metadata
- 57. Common Event Expression (CEE)
- 58. Dell EqualLogic
- 59. Dell iDRAC
- 60. Dell PowerVault MD Series
- 61. Devo
- 62. DHCP logs
- 63. DNS Monitoring
- 64. Docker
- 65. Elasticsearch and Kibana
- 66. F5 BIG-IP
- 67. File Integrity Monitoring
- 68. FreeRADIUS
- 69. Graylog
- 70. HP ProCurve
- 71. IBM QRadar SIEM
- 72. Industrial Control Systems
- 73. Linux Audit System
- 74. Linux system logs
- 75. Log Event Extended Format (LEEF)
- 76. McAfee Enterprise Security Manager (ESM)
- 77. McAfee ePolicy Orchestrator
- 78. Microsoft Active Directory Domain Controller
- 79. Microsoft Azure
- 80. Microsoft Azure Event Hubs
- 81. Microsoft Azure Sentinel
- 82. Microsoft Exchange
- 83. Microsoft IIS
- 84. Microsoft SharePoint
- 85. Microsoft SQL Server
- 86. Microsoft System Center Endpoint Protection
- 87. Microsoft System Center Configuration Manager
- 88. Microsoft System Center Operations Manager
- 89. MongoDB
- 90. Nagios Log Server
- 91. Nessus Vulnerability Scanner
- 92. NetApp
- 93. .NET application logs
- 94. Nginx
- 95. Okta
- 96. Osquery
- 97. Postfix
- 98. Promise
- 99. Rapid7 InsightIDR SIEM
- 100. RSA NetWitness
- 101. SafeNet KeySecure
- 102. Salesforce
- 103. Snare
- 104. Snort
- 105. Solarwinds Loggly
- 106. Splunk
- 107. Sumo Logic
- 108. Symantec Endpoint Protection
- 109. Synology DiskStation
- 110. Syslog
- 111. Sysmon
- 112. Ubiquiti UniFi
- 113. VMware vCenter
- 114. Windows AppLocker
- 115. Windows Command Line Auditing
- 116. Windows Event Log
- 117. Windows Firewall
- 118. Windows Group Policy
- 119. Windows Management Instrumentation (WMI)
- 120. Windows PowerShell
- 121. Microsoft Windows Update
- 122. Windows USB auditing
- 123. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
111. Sysmon
NXLog can be configured to capture and process audit logs generated by the Sysinternals Sysmon utility. Sysmon is a Windows system service and device driver that logs system activity into Windows Event Log. Supported events include (but are not limited to):
-
process creation and the full command line used,
-
loading of system drivers,
-
network connections, and
-
modification of file creation timestamps.
On Windows Vista and higher, Sysmon logs are stored in the Microsoft-Windows-Sysmon/Operational Windows Event Log channel. On older systems, events are written to the default System channel.
111.1. Setting up Sysmon
To download Sysmon, and for full details about configuring and installing Sysmon, see the Sysmon page on Microsoft Docs.
-
Download and extract the Sysmon ZIP archive.
-
Install the Sysmon service with the default parameters. The service will become active immediately; no restart is required. The service will remain resident across reboots. Other command-line parameters are available to enable or disable various types of logging.
> sysmon -accepteula -i
-
A complex configuration with filtering can be deployed by creating a custom XML configuration file for Sysmon.
See SwiftOnSecurity Sysmon configuration, or IONStorm Sysmon configuration on GitHub. Both provide good information for understanding what is possible with Sysmon and include many examples.
Use the
-c
option to update the service with a new configuration.> sysmon -c config.xml
-
To uninstall the Sysmon service, use the
-u
option.> sysmon -u
111.2. Collecting Sysmon logs
When Sysmon generates event log data, it encodes details of the event
into the EventData
tag of the Windows Event Log record.
<EventData>
<Data Name="UtcTime">2015.04.27. 13:23</Data>
<Data Name="ProcessGuid">{00000000-3862-553E-0000-001051D40527}</Data>
<Data Name="ProcessId">25848</Data>
<Data Name="Image">c:\Program Files (x86)\nxlog\nxlog.exe</Data>
<Data Name="CommandLine">"c:\Program Files (x86)\nxlog\nxlog.exe" -f</Data>
<Data Name="User">WIN-OUNNPISDHIG\Administrator</Data>
<Data Name="LogonGuid">{00000000-568E-5453-0000-0020D5ED0400}</Data>
<Data Name="LogonId">0x4edd5</Data>
<Data Name="TerminalSessionId">2</Data>
<Data Name="IntegrityLevel">High</Data>
<Data Name="HashType">SHA1</Data>
<Data Name="Hash">1DCE4B0F24C40473Ce7B2C57EB4F7E9E3E14BF94</Data>
<Data Name="ParentProcessGuid">{00000000-3862-553E-0000-001088D30527}</Data>
<Data Name="ParentProcessId">26544</Data>
<Data Name="ParentImage">C:\msys\1.0\bin\sh.exe</Data>
<Data Name="ParentCommandLine">C:\msys\1.0\bin\sh.exe</Data>
</EventData>
Sysmon audit log data can be collected with im_msvistalog
(or other modules, see Windows Event Log). The Data
tags will be
automatically parsed, and the values will be available as fields in the event
records. The log data
can then be forwarded to a log analytics system to allow identification of
malicious or anomalous activity.
Here, the im_msvistalog module will collect all Sysmon logs from Windows Event Log. A sample event is shown below.
1
2
3
4
5
6
7
8
9
10
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
{
"EventTime": "2015-04-27 15:23:46",
"Hostname": "WIN-OUNNPISDHIG",
"Keywords": -9223372036854776000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1,
"SourceName": "Microsoft-Windows-Sysmon",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version": 3,
"Task": 1,
"OpcodeValue": 0,
"RecordNumber": 2335906,
"ProcessID": 1680,
"ThreadID": 1728,
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "SYSTEM",
"AccountType": "Well Known Group",
"Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
"Opcode": "Info",
"UtcTime": "2015.04.27. 13:23",
"ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
"Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
"CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
"User": "WIN-OUNNPISDHIG\\Administrator",
"LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
"LogonId": "0x4edd5",
"TerminalSessionId": "2",
"IntegrityLevel": "High",
"HashType": "SHA1",
"Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
"ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
"ParentProcessId": "26544",
"ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
"ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
"EventReceivedTime": "2015-04-27 15:23:47",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog"
}
111.3. Filtering Sysmon events
Some scenarios require more advanced filtering of Sysmon logs in order to achieve more useful results. There are three main ways to filter Sysmon logs.
- Sysmon configuration
-
Sysmon supports filtering tags that can be used to avoid logging unwanted events. See Setting up Sysmon above and the Sysmon page for details about the available tags. This method is the most efficient because it avoids creating the unwanted log entries in the first place.
- Windows Event Log XPath query
-
The im_msvistalog Query or QueryXML directive can be used to limit the entries that are read via the Windows Event Log API. Because this method restricts the number of entries that reach NXLog, it is a fairly efficient way to filter logs.
Example 513. Filtering Sysmon events with an XPath QueryThe following example shows a query that collects only events that have an event ID of 1 (process creation).
- NXLog language
-
Finally, the built-in filtering capabilities of NXLog can be used, which may be easier to write than the XML query syntax provided by the Windows Event Log API.
Example 514. Filtering Sysmon events in an Exec blockThis example discards all network connection events (event ID 3) regarding HTTP network connections to a particular server and port, and all process creation and termination events (event IDs 1 and 5) for
conhost.exe
.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<Input in> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList> </QueryXML> <Exec> if ($EventID in (1, 5) and $Image == "C:\\Windows\\System32\\conhost.exe") or ($EventID == 3 and $DestinationPort == 80 and $DestinationIp == 10.0.0.1) drop(); </Exec> </Input>