search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.68k stars 1.69k forks source link

Installed sysmon cannot see any event logs #158

Closed zhex900 closed 2 years ago

zhex900 commented 2 years ago

Hi,

I have installed sysmon64 but I cannot see any logs in the event viewer.

Is it because Image Loading is disabled? How do I enable it .

// config.xml
<Sysmon schemaversion="4.5">
    <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
    <CheckRevocation/>
    <EventFiltering>
        <RuleGroup name="" groupRelation="or">
            <ProcessCreate onmatch="include">
                <Image condition="image">notepad.exe</Image>
                <Image condition="image">chrome.exe</Image>                <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
            </ProcessCreate>

            <ProcessTerminate onmatch="include">
                <Image condition="image">notepad.exe</Image>
                <Image condition="image">chrome.exe</Image>                <!--Devices and VSC shouldn't be executing changes | Credit: @SBousseaden @ionstorm @neu5ron @PerchedSystems [ https://twitter.com/SwiftOnSecurity/status/1133167323991486464 ] -->
            </ProcessTerminate>
        </RuleGroup>
    </EventFiltering>
</Sysmon>
Sysmon64 -c

System Monitor v13.24 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2021 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Current configuration:
 - Service name:                  Sysmon64
 - Driver name:                   SysmonDrv
 - Config file:                   .\sysmon-config.xml
 - Config hash:                   SHA256=4714F020F75C2AC96A7B431A4D16B1FFA03DF9999FD6C2DD8BACD9085D3C99AE

 - HashingAlgorithms:             MD5,SHA256,IMPHASH
 - Network connection:            disabled
 - Archive Directory:             -
 - Image loading:                 disabled
 - CRL checking:                  enabled
 - DNS lookup:                    enabled

Rule configuration (version 4.50):
 - ProcessCreate                      onmatch: include   combine rules using 'Or'
        Image                          filter: image        value: 'notepad.exe'
        Image                          filter: image        value: 'chrome.exe'
 - ProcessTerminate                   onmatch: include   combine rules using 'Or'
        Image                          filter: image        value: 'notepad.exe'
        Image                          filter: image        value: 'chrome.exe'
zhex900 commented 2 years ago

Sorry it did work. I was not looking at the right place.

Event viewer under Applications and Services Logs > Microsoft > Windows > Sysmon.