The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
Microsoft Sysmon is a free agent that can be installed on Windows systems and configured to provide rich details about events of particular interest when performing security monitoring of systems. This technology pack will process all Sysmon event log messages produced by recent and current versions of Sysmon. This technology pack will process Sysmon logs, providing normalization and enrichment of common events of interest.
Supported Version(s)
- Sysmon version 12 later.
Stream Configuration
This technology pack includes one stream:
- “Illuminate:Sysmon;Messages”, which will contain all events collected from the Sysmon event log
Index Set Configuration
This technology pack includes one index set definition:
- “Sysmon Event Log Messages,” which contains all messages from the Windows Sysmon event log.
If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Requirements
- Sysmon event logs delivered to Graylog via Winlogbeat 7.x or NXLog 2.10, 3.0 or 3.1
Log Delivery Configuration
The log delivery agent, either Winlogbeat or NXLog, must be configured to collect Sysmon events from the Windows event log service. Examples are listed below but please refer to the agent’s configuration documentation to properly configure the log delivery agent to support your requirements.
Agent Configuration - Winlogbeat 7.x
- Under the
event_logs:section of the Winlogbeat configuration, add the line:name: Microsoft-Windows-Sysmon/Operational
Agent Configuration - NXLog 2.10, 3.0 or 3.1
-
In the
QueryXMLsection of the NXLog configuration, add the following:<Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
Working configuration file for Sysmon (Security, Application, System, Powershell):
This configuration requires to install NXLog 3.x in C:\Program Files (x86)\nxlog and not in the default folder.
The HOST and Port are examples, use your Graylog IP and your port.
Copydefine ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
<Input eventlog>
Module im_msvistalog
PollInterval 1
SavePos False
ReadFromLast True
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Security'>*</Select>
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>
<Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output gelf>
Module om_tcp
Host 192.168.122.40
Port 12244
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
<Route route-1>
Path eventlog => gelf
</Route>
What is Provided
- Parsing rules to extract Sysmon logs into Graylog schema compatible fields
- Graylog Information Model message categorization
- Illuminate spotlight
Events Processed by This Technology Pack
- The Sysmon technology pack will process all Sysmon event IDs.
