top of page
Search
GeekGuy
Oct 28, 20212 min read

Sysmon: Linux release 1.0.0, 25th birthday

Today on the 25th birthday of Sysinternals Sysmon 1.0.0 for Linux has been released and it is open source software!

This short blog is a quick overview of the capabilities to give you an idea of what you can expect from this initial release.

Installing Sysmon for Linux

Sysmon relies on their implementation of eBPF so you’ll need to compile and install that first. https://github.com/Sysinternals/SysinternalsEBPF

When eBPF is installed you can move on to compiling and installing Sysmon, it has been well documented in the repository, just walk through the steps. https://github.com/Sysinternals/SysmonForLinux

Once complete we can run it and we’re greeted with a familiar prompt

Sysmon for Linux 1.0.0 banner screen

Avid Sysmon users will immediately notice that there is less command line options than on Windows. However, over time I am sure there will be more features added.

One thing that is cool is that Sysmon for Windows and Linux share the same manifest, so also the same schema. This means all events, that are loggable, will have exactly the same set of fields per event type that will be logged.

The contents of the fields will obiously differ per operating system and on Linux not all will be populated but all field names will be the same, as well as creating a configuration, which is great! Keep this in mind when requesting the schema, on Linux you will get the same output as the equivalent on Windows.

Sysmon -c output, partial schema export

However, not all event types are currently supported by Sysmon for Linux at the time of release. Right now the following events are supported by the Linux version:

Event ID | Description
       1 | Process Creation
       3 | Network Connect
       5 | Process Terminate
       9 | RAW access read
      11 | File Create / Overwrite 
      16 | Sysmon config change
      23 | File Delete

A great overview and deployment templates by Roberto Rodriguez can be found here


Configuration

Writing a configuration will be very familiar to people that have used it on Windows before. The exact same structure and filters can be applied to it.

https://gist.github.com/olafhartong/56bfbbe1a43ba675fdf5b9f194d608af
Example very basic sysmon configuration

Logging

All logs are written as an XML event to the syslog file. The Sysinternals team also included the sysmonLogView utility for parse the data in a more readable format on the local system.

Log entry example in /var/log/syslog

As you can see from the examples that were created with the sysmonLogView tool below, the events look very similar to the Windows equivalent. For the Process Creation events the only thing that is obviously missing is the PE data as well as the hashes.

Process creation event sample
Network connect event sample
Process termination event sample
Process access event sample
Sysmon config change event sample
File Delete event sample

Tags:

252 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Stationary photo

Be the first to know

Subscribe to our newsletter to receive news and updates.

Thanks for submitting!

Follow us
bottom of page