SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.82k stars 1.71k forks source link

DNSQuery EID not found in event viewer #79

Open weiofcn opened 5 years ago

weiofcn commented 5 years ago
OS: windows 7 x64
OS Version:  6.1.7601 Service Pack 1 Build 7601

I downloaded sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

I tried many times installation and uninstallation, and it still doesn't show any EID:22, yes, I did visit many many urls from chrome.

Does anyone has the same confusion?

ClintRajaniemi commented 5 years ago
OS: windows 7 x64
OS Version:  6.1.7601 Service Pack 1 Build 7601

I downloaded sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

I tried many times installation and uninstallation, and it still doesn't show any EID:22, yes, I did visit many many urls from chrome.

Does anyone has the same confusion?

Same here, I presume you enabled the DNS Client Events logs? I did and still no Event ID 22 in Sysmon logs. I've been hacking at it a bit of the day. I've not worked with Sysmon configs in the past and figured I was just messing something up (or forgetting to enable something).

analyze-v commented 5 years ago

Hello This was reported to us by a customer earlier today and in their environment at least was caused by a comment immediately after the RuleGroup Element

sha256,sha1,IMPHASH And was resolved by removing the comment line above. If this fails to resolve the issue in your environment could you email your config to marcook@microsoft.com and I will take a look for you. Regards Mark Cook (MSFT)
zhiwzhao commented 5 years ago

my OS is win7, and config file loaded is z-AlphaVersion.xml , but no any DNS query event logged. i didnot find "sha256,sha1,IMPHASH" which commented by @analyze-v in z-AlphaVersion.xml , so that the issue still there,

analyze-v commented 5 years ago

Sorry that was a copy and paste error on my part

You need to remove the comment immediately after the RuleGroup element in the config (In this example the line that includes SYSMON EVENT ID 22 : DNS EVENT LOGGING)

  <EventFiltering>
       <RuleGroup name="" groupRelation="or">
            <!--SYSMON EVENT ID 22 : DNS EVENT LOGGING-->
             <DnsQuery onmatch="exclude">
                   <!--Network noise-->
analyze-v commented 5 years ago

Sorry that was a copy and paste error on my part as the relevant config extracts I pasted in were mis-interpreted as content tags.. I updated the forum comment but what you need to remove is the comment line that immediately follows the RuleGroup tag (the one that includes SYSMON EVENT ID 22: DNS EVENT LOGGING)

  <EventFiltering>
       <RuleGroup name="" groupRelation="or">
            <!--SYSMON EVENT ID 22 : DNS EVENT LOGGING-->
             <DnsQuery onmatch="exclude">
                   <!--Network noise-->

Regards

Mark

From: Vita Zhao notifications@github.com Sent: Tuesday, June 25, 2019 3:26 AM To: SwiftOnSecurity/sysmon-config sysmon-config@noreply.github.com Cc: Mark Cook marcook@microsoft.com; Mention mention@noreply.github.com Subject: Re: [SwiftOnSecurity/sysmon-config] DNSQuery EID not found in event viewer (#79)

my OS is win7, and config file loaded is z-AlphaVersion.xml , but no any DNS query event logged. i didnot find "sha256,sha1,IMPHASH" which commented by @analyze-vhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fanalyze-v&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629321930&sdata=NYPxktcib7%2FHvMAud8Bp8AWtbTqxbqvNVKQGKc1pDyE%3D&reserved=0 in z-AlphaVersion.xml , so that the issue still there,

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSwiftOnSecurity%2Fsysmon-config%2Fissues%2F79%3Femail_source%3Dnotifications%26email_token%3DAKJ6QDZZLNDWC4W65NHDFOTP4F63TA5CNFSM4HXZHT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOYWVY%23issuecomment-505252695&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629321930&sdata=Ivoxt%2FG0FUKpf5ovThCzNssWX%2FisFwdqDpZ2SLGt4qk%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKJ6QD7BR7HQADG3ECXEY7LP4F63TANCNFSM4HXZHT6Q&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629331925&sdata=I6mmQh%2B6Xx67vqQ4gPkIDyS8Ra4Imx3uro9zGrIAXQI%3D&reserved=0.