-
I have multiple custom channels where Security and Sysmon logs are forwarded.
```
@type windows_eventlog2
@id wec_channels
channels ["WEC-Security", "WEC-Sysmon"]
read_interval 2
r…
-
I'm trying to reproduce your PoC, but it's not working for me.
I'm debugging the PoC with Procmon and checking source code (line code from 52 to 70) and saw an error when creating file. Any idea fi…
-
For custom rules as file overwrite / create which Event ID should we use to logs changes? Event ID 11 or 2?
For example I need log file when changed in path c:\programdata\file.log
-
Dear Sysmon contributors,
I am opening a Sysmon feature request over this repository as I did not find any other place to do it but also because I saw some previous feature request were handled in …
-
I am noticing on Windows 10 Pro and Windows 11 Pro strange problems with the Sysmon or Sysmon64 service stopping.
Tested Sysmon version: 15.0 and 15.12 - the same problem.
Windows 10 and Windows…
-
# Feature request
Use Sysmon as a source of events for all the supported events. We can project sysmon's event data within osquery core as evented tables in realtime using ETW tracing.
Curre…
-
Hi all,
I use this tool, but I got a problem about execution sysmon don't show running process.
Just saying "unknown".
How can I do to fix this problem?
OS:Ubuntu 22.04 (Linux kernel: 5.19.0-4…
-
Winlogbeat ingest pipelines Security and Sysmon missing geoIP.
- Version 8.7.1
- Discuss Forum URL: https://discuss.elastic.co/t/winlogbeat-ingest-pipelines-missing-geoip/334575
-
**Describe the bug**
sysmon service is active but no logs is written.
more precisely logs are visible via journalctl but not via log file /var/log/sysmon/sysmon.log
log file output set by https:/…
-
Create ingestion script which:
- adjust timestamps in preserved evidence
- e.g. now - 1 week or configurable
- correct timestamps by 2 hours in windows event logs
- system clock was in UTC, bu…