Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining the Graylog Illuminate release file.

Microsoft Sysmon is a free agent that can be installed on Windows systems and configured to provide rich details about events of particular interest when performing security monitoring of systems. This technology pack will process all Sysmon event log messages produced by recent and current versions of Sysmon. This technology pack will process Sysmon logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Sysmon version 12 later.

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Sysmon;Messages”, which will contain all events collected from the Sysmon event log

Index Set Configuration

This technology pack includes one index set definition:

  • “Sysmon Event Log Messages,” which contains all messages from the Windows Sysmon event log.

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Requirements

  • Sysmon event logs delivered to graylog via Winlogbeat 7.x or NXLog 2.10

Log Delivery Configuration

The log delivery agent, either Winlogbeat or NXLog, must be configured to collect Sysmon events from the Windows event log service. Examples are listed below but please refer to the agent’s configuration documentation to properly configure the log delivery agent to support your requirements.

Agent Configuration - Winlogbeat 7.x

  1. Under the event_logs: section of the Winlogbeat configuration, add the line:
    • name: Microsoft-Windows-Sysmon/Operational

Agent Configuration - NXLog 2.10

  1. In the QueryXML section of the NXLog configuration, add the following:

    • <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>

What is Provided

  • Parsing rules to extract Sysmon logs into Graylog schema compatible fields
  • Graylog Information Model message categorization
  • Illuminate spotlight

Events Processed by This Technology Pack

  • The Sysmon technology pack will process all Sysmon event IDs.