Return to
Portfolio

93. Sysmon

NXLog can be configured to capture and process audit logs generated by the Sysinternals Sysmon utility. Sysmon is a Windows system service and device driver that logs system activity to the Windows EventLog. Supported events include (but are not limited to):

  • process creation and the full command line used,

  • loading of system drivers,

  • network connections, and

  • modification of file creation timestamps.

On Windows Vista and higher, Sysmon’s events are stored in the Microsoft-Windows-Sysmon/Operational event log. On older systems, events are written to the System event log.

93.1. Setting up Sysmon

To download Sysmon, and for full details about configuring and installing Sysmon, see the Sysmon page on Microsoft Docs.

  1. Download and extract the Sysmon ZIP archive.

  2. Install the Sysmon service with the default parameters. The service will become active immediately; no restart is required. The service will remain resident across reboots. Other command-line parameters are available to enable or disable various types of logging.

    > sysmon -accepteula -i

  3. A complex configuration with filtering can be deployed by creating a custom XML configuration file for Sysmon.

    See SwiftOnSecurity Sysmon configuration, or IONStorm Sysmon configuration on GitHub. Both provide good information for understanding what is possible with Sysmon and include many examples.

    Use the -c option to update the service with a new configuration.

    > sysmon -c config.xml

  4. To uninstall the Sysmon service, use the -u option.

    > sysmon -u

93.2. Collecting Sysmon Events

When Sysmon generates EventLog data, it encodes details of the event into the EventData tag of the EventLog record.

Example Sysmon EventLog Entry
<EventData>
  <Data Name="UtcTime">2015.04.27. 13:23</Data>
  <Data Name="ProcessGuid">{00000000-3862-553E-0000-001051D40527}</Data>
  <Data Name="ProcessId">25848</Data>
  <Data Name="Image">c:\Program Files (x86)\nxlog\nxlog.exe</Data>
  <Data Name="CommandLine">"c:\Program Files (x86)\nxlog\nxlog.exe" -f</Data>
  <Data Name="User">WIN-OUNNPISDHIG\Administrator</Data>
  <Data Name="LogonGuid">{00000000-568E-5453-0000-0020D5ED0400}</Data>
  <Data Name="LogonId">0x4edd5</Data>
  <Data Name="TerminalSessionId">2</Data>
  <Data Name="IntegrityLevel">High</Data>
  <Data Name="HashType">SHA1</Data>
  <Data Name="Hash">1DCE4B0F24C40473Ce7B2C57EB4F7E9E3E14BF94</Data>
  <Data Name="ParentProcessGuid">{00000000-3862-553E-0000-001088D30527}</Data>
  <Data Name="ParentProcessId">26544</Data>
  <Data Name="ParentImage">C:\msys\1.0\bin\sh.exe</Data>
  <Data Name="ParentCommandLine">C:\msys\1.0\bin\sh.exe</Data>
</EventData>

Sysmon audit log data can be collected with im_msvistalog (or other modules, see Windows Event Log). The Data tags will be automatically parsed, and the values will be available as fields in the event records. The log data can then be forwarded to a log analytics system to allow identification of malicious or anomalous activity.

Example 393. Collecting Sysmon Logs

Here, the im_msvistalog module will collect all Sysmon events from the EventLog. A sample event is shown below.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10


  
<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>
Output Sample
{
  "EventTime": "2015-04-27 15:23:46",
  "Hostname": "WIN-OUNNPISDHIG",
  "Keywords": -9223372036854776000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 3,
  "Task": 1,
  "OpcodeValue": 0,
  "RecordNumber": 2335906,
  "ProcessID": 1680,
  "ThreadID": 1728,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "SYSTEM",
  "AccountType": "Well Known Group",
  "Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
  "Opcode": "Info",
  "UtcTime": "2015.04.27. 13:23",
  "ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
  "Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
  "CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
  "User": "WIN-OUNNPISDHIG\\Administrator",
  "LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
  "LogonId": "0x4edd5",
  "TerminalSessionId": "2",
  "IntegrityLevel": "High",
  "HashType": "SHA1",
  "Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
  "ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
  "ParentProcessId": "26544",
  "ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
  "ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
  "EventReceivedTime": "2015-04-27 15:23:47",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog"
}

93.3. Filtering Sysmon Events

Some scenarios require more advanced filtering of Sysmon logs in order to achieve more useful results. There are three main ways to filter Sysmon logs.

Sysmon configuration

Sysmon supports filtering tags that can be used to avoid logging unwanted events. See Setting up Sysmon above and the Sysmon page for details about the available tags. This method is the most efficient because it avoids creating the unwanted log entries in the first place.

EventLog XPath query

The im_msvistalog Query or QueryXML directive can be used to limit the entries that are read via the EventLog API. Because this method restricts the number of entries that reach NXLog, it is a fairly efficient way to filter logs.

Example 394. Filtering Sysmon Events With an XPath Query

The following example shows a query that collects only events that have an event ID of 1 (process creation).

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12


  
<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">
                    *[System[(EventID='1')]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
</Input>
NXLog language

Finally, the built-in filtering capabilities of NXLog can be used, which may be easier to write than the XML query syntax provided by the EventLog API.

Example 395. Filtering Sysmon Events in an Exec Block

This example discards all network connection events (event ID 3) regarding HTTP network connections to a particular server and port, and all process creation and termination events (event IDs 1 and 5) for conhost.exe.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18


  
<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        if ($EventID in (1, 5) and
            $Image == "C:\\Windows\\System32\\conhost.exe") or
           ($EventID == 3 and
            $DestinationPort == 80 and
            $DestinationIp == 10.0.0.1)
           drop();
    </Exec>
</Input>

← Previous: Syslog | ↑ Up: Integration | ⌂ Home: NXLog User Guide | Next: Ubiquiti UniFi →