search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.73k stars 1.69k forks source link

No Sysmon Event ID 1 events are being logged #117

Open lindonzoo opened 4 years ago

lindonzoo commented 4 years ago

Hi all,

Using Sysmon v11 on a fresh install of Windows Server 2016.

Installed Sysmon via elevated PS:

.\Sysmon64.exe -i ..\..\Desktop\sysmon.xml

Output from command:

System Monitor v11.0 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.22
Sysmon schema version: 4.30
Configuration file validated.
Sysmon64 installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon64..
Sysmon64 started.

I can see events for process termination, DNS etc but not process creation.

I am not sure if the following points to any clues on the issue:

Loading configuration file with schema version 4.22
Sysmon schema version: 4.30

I have also tried Sysmon.exe (as opposed to Sysmon64.exe) with no luck.

Anyone else seen this?

Iveco commented 4 years ago

Known Bug in Sysmon, wait for Update from Mark.

jokezone commented 4 years ago

I first saw this reported on 05 May here:

https://twitter.com/S0xbad1dea/status/1257699725786177536?s=19

daniaabujuma commented 12 months ago

Hi, can anyone help by telling me how this issue was solved? I am facing the same issue currently, as I have downloaded sysmon on multiple devices, and event ID 1 is working on some of them and not working on the rest. Please advise.