MarioHewardt
commented
1 year ago Hi! Sysmon for Linux requires kernel version 4.15 and higher.
Closed Y4nko closed 10 months ago
MarioHewardt
commented
1 year ago Hi! Sysmon for Linux requires kernel version 4.15 and higher.
Describe the bug During service and drive installation, sysmon service fails to start due to not supported kernel version (logs included down below).
I faced the same issue on SLES SP1 with two different sysmon versions, 1.1.1 and 1.0.2.
Is there any version of sysmon or any other way to run sysmon on kernel 4.12? Additionally, do you have a list of kernel versions which are supported?
Sysmon version Sysmon 1.1.1 Sysmon 1.0.2
Distro/kernel version OS version: SUSE Linux Enterprise Server 15 SP1 Kernel version: 4.12.14
Sysmon configuration collect-all.xml
Logs /usr/bin/sysmon -t -i /home/collect-all.xml
Sysmon v1.1.1 - Monitors system events Sysinternals - www.sysinternals.com By Mark Russinovich, Thomas Garnier and Kevin Sheldrake Copyright (C) 2014-2023 Microsoft Corporation Licensed under MIT/GPLv2 Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Loading configuration file with schema version 4.81 Configuration file validated. Job for sysmon.service failed because the control process exited with error code. See "systemctl status sysmon.service" and "journalctl -xe" for details.
systemctl status sysmon sysmon.service - Sysmon event logger Loaded: loaded (/etc/systemd/system/sysmon.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2023-05-04 16:13:14 UTC; 11s ago Process: 22036 ExecStart=/opt/sysmon/sysmon -i /opt/sysmon/config.xml -service (code=exited, status=7)
May 04 16:13:14 vm sysmon[22036]: Configuration file validated. May 04 16:13:14 vm sysmon[22036]: Loading configuration file with schema version 4.81 May 04 16:13:14 vm sysmon[22036]: Configuration file validated. May 04 16:13:14 vm sysmon[22036]: Found Kernel version: 4.12 May 04 16:13:14 vm sysmon[22036]: Kernel version not supported May 04 16:13:14 vm sysmon[22036]: Telemetry failed to start: eBPF program could not be opened May 04 16:13:14 vm systemd[1]: sysmon.service: Control process exited, code=exited status=7 May 04 16:13:14 vm systemd[1]: Failed to start Sysmon event logger. May 04 16:13:14 vm systemd[1]: sysmon.service: Unit entered failed state. May 04 16:13:14 vm systemd[1]: sysmon.service: Failed with result 'exit-code'.