Graylog Illuminate is available for use with Graylog Enterprise and Graylog Security. Contact sales to learn more about obtaining Illuminate.

Microsoft Sysmon is a free agent that can be installed on Windows systems and configured to provide rich details about events of particular interest when performing security monitoring of systems. This technology pack will process all Sysmon event log messages produced by recent and current versions of Sysmon. This technology pack will process Sysmon logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Sysmon version 12 later.

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Sysmon;Messages”, which will contain all events collected from the Sysmon event log

Index Set Configuration

This technology pack includes one index set definition:

  • “Sysmon Event Log Messages,” which contains all messages from the Windows Sysmon event log.

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Requirements

  • Sysmon event logs delivered to Graylog via Winlogbeat 7.x or NXLog 2.10, 3.0 or 3.1

Log Delivery Configuration

The log delivery agent, either Winlogbeat or NXLog, must be configured to collect Sysmon events from the Windows event log service. Examples are listed below but please refer to the agent’s configuration documentation to properly configure the log delivery agent to support your requirements.

Agent Configuration - Winlogbeat 7.x

  1. Under the event_logs: section of the Winlogbeat configuration, add the line:
    • name: Microsoft-Windows-Sysmon/Operational

Agent Configuration - NXLog 2.10, 3.0 or 3.1

  1. In the QueryXML section of the NXLog configuration, add the following:

    • <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>

     

    Working configuration file for Sysmon (Security, Application, System, Powershell):

    This configuration requires to install NXLog 3.x in C:\Program Files (x86)\nxlog and not in the default folder.

    The HOST and Port are examples, use your Graylog IP and your port.

    Copy
    define ROOT C:\Program Files (x86)\nxlog

    Moduledir %ROOT%\modules
    CacheDir %ROOT%\data
    Pidfile %ROOT%\data\nxlog.pid
    SpoolDir %ROOT%\data
    LogFile %ROOT%\data\nxlog.log
    LogLevel INFO

    <Extension logrotate>
        Module  xm_fileop
        <Schedule>
            When    @daily
            Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
         </Schedule>
    </Extension>

    <Extension gelfExt>
      Module xm_gelf
      # Avoid truncation of the short_message field to 64 characters.
      ShortMessageLength 65536
    </Extension>

    <Input eventlog>
            Module im_msvistalog
            PollInterval 1
            SavePos False
            ReadFromLast True
        <QueryXML>
            <QueryList>
                <Query Id='1'>
                    <Select Path='Security'>*</Select>
                    <Select Path="Application">*</Select>
                    <Select Path="System">*</Select>
                    <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
                    <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
                </Query>
            </QueryList>
        </QueryXML>
    </Input>

    <Output gelf>
    Module om_tcp
    Host 192.168.122.40
    Port 12244
    OutputType  GELF_TCP
    <Exec>
     # These fields are needed for Graylog
     $gl2_source_collector = '${sidecar.nodeId}';
     $collector_node_id = '${sidecar.nodeName}';
    </Exec>
    </Output>

    <Route route-1>
      Path eventlog => gelf
    </Route>

What is Provided

  • Parsing rules to extract Sysmon logs into Graylog schema compatible fields
  • Graylog Information Model message categorization
  • Illuminate spotlight

Events Processed by This Technology Pack

  • The Sysmon technology pack will process all Sysmon event IDs.