Closed zangetsu-08 closed 10 months ago
zangetsu-08
commented
1 year ago NAME="Ubuntu" VERSION="20.04.6 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.6 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
MarioHewardt
commented
1 year ago Hi - When starting sysmon can you add the -t switch (e.g., sudo sysmon -t -i ...)
Once done also add the -n 200 switch to journalctl. The log above is too short.
MarioHewardt
commented
10 months ago Hi - Closing until we have a more detailed log. Feel free to reopen with the requested information.
Hello guys. I get the following error after running sysmon. Everything was working with previous versions.
root@alb01:/sys/kernel/btf# sysmon -accepteula -i /opt/config.xml
Sysmon v1.1.0 - Monitors system events Sysinternals - www.sysinternals.com By Mark Russinovich, Thomas Garnier and Kevin Sheldrake Copyright (C) 2014-2023 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Loading configuration file with schema version 4.70 Sysmon schema version: 4.81 Configuration file validated. Job for sysmon.service failed because the control process exited with error code. See "systemctl status sysmon.service" and "journalctl -xe" for details.
root@alb01:/sys/kernel/btf# journalctl -u sysmon -xe Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 728: (67) r1 <<= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 727: (bf) r1 = r3 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 726: (79) r3 = (u64 )(r10 -64) Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 725: (b7) r8 = 0 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 724: (6d) if r2 s> r1 goto pc+36 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 723: (b7) r2 = 1 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 722: (c7) r1 s>>= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 721: (67) r1 <<= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 720: (bf) r1 = r0 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 719: (25) if r6 > 0xffe goto pc+41 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 718: (77) r6 >>= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 717: (67) r6 <<= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 716: (07) r6 += -1 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 715: (25) if r8 > 0x1000 goto pc+45 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 714: (77) r8 >>= 32 Mar 21 18:50:33 alb01.vm.ptylab.companyservices.net sysmon[119929]: regs=0 stack=400 before 713: (67) r8 <<= 32 Mar 21 18:50:35 alb01.vm.ptylab.companyservices.net systemd[1]: sysmon.service: Control process exited, code=exited, status=12/n/a -- Subject: Unit process exited -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- An ExecStart= process belonging to unit sysmon.service has exited. -- -- The process' exit code is 'exited' and its exit status is 12. Mar 21 18:50:35 alb01.vm.ptylab.companyservices.net systemd[1]: sysmon.service: Failed with result 'exit-code'. -- Subject: Unit failed -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- The unit sysmon.service has entered the 'failed' state with result 'exit-code'. Mar 21 18:50:35 alb01.vm.ptylab.companyservices.net systemd[1]: Failed to start Sysmon event logger. -- Subject: A start job for unit sysmon.service has failed -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- A start job for unit sysmon.service has finished with a failure. -- -- The job identifier is 3836 and the job result is failed. lines 983-1020/1020 (END)