search

Sysinternals / SysmonForLinux

MIT License
1.74k stars 184 forks source link

Not log DnsQuery EventID 22 #57

Open PoundXI opened 2 years ago

PoundXI commented 2 years ago

OS: Ubuntu 20.04 Installation instruction: https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md#ubuntu-1804-2004--2104

sysmon config:

<Sysmon schemaversion="4.21">
  <EventFiltering>
    <DnsQuery onmatch="exclude">
    </DnsQuery>
  </EventFiltering>
</Sysmon>

command for making dns query: ping www.google.com

checking event id: sudo cat /var/log/syslog | grep -oP "EventID>\d+<" | sort -u

result:

EventID>1<
EventID>16<
EventID>4<
EventID>5<
lightoyou commented 2 years ago

It seems that kernel 4.19.208-1 (debian 10) and 5.10.0-6 (debian 11) are not supported at the moment

lightoyou commented 2 years ago

SYSMONEVENT_RAWACCESS_READ seems not working too :(

SirStephanikus commented 1 year ago

Yep...even on a Ubuntu 20.04 Server LTS system...it does not log anything. Considering all the other bugs (broken in RHEL systems), wrong man page (they use Windows stuff on a Linux system)...SysmonForLinux seems to be in alpha stadium ...and I don't get it why the Sysinternals team has all those "features" in it that don't work at all.

MarioHewardt commented 1 year ago

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

PoundXI commented 1 year ago

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

Just process create & terminate events

MarioHewardt commented 1 year ago

Thanks for checking. I've tagged this as a bug for now and added to backlog.

juju4 commented 1 year ago

Observing same issue with sysmon 1.2.0 with some variations on debian 11.7 and ubuntu 22.04. Any way to troubleshoot?

expecting more in both case (RawAccessRead for both and file/network/service for first one):

debian11# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep Event | sort | uniq -c | sort -nr
    630 Event SYSMONEVENT_PROCESS_TERMINATE
    370 Event SYSMONEVENT_CREATE_PROCESS
ubuntu22# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep 'Event' | sort | uniq -c | sort -nr
     95 Event SYSMONEVENT_PROCESS_TERMINATE
     67 Event SYSMONEVENT_CREATE_PROCESS
      7 Event SYSMONEVENT_NETWORK_CONNECT
      5 Event SYSMONEVENT_FILE_DELETE
      5 Event SYSMONEVENT_FILE_CREATE
      1 Event SYSMONEVENT_SERVICE_STATE_CHANGE
      1 Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE

Config based on https://github.com/microsoft/MSTIC-Sysmon/tree/main/linux/configs https://github.com/juju4/ansible-sysmon/blob/main/templates/config.xml.j2

Not seeing any DNS catch in https://github.com/Sysinternals/SysmonForLinux/blob/main/sysmonforlinux.c#L848 but have SYSMONEVENT_NETWORK_CONNECT_EVENT_value and SYSMONEVENT_RAWACCESS_READ_EVENT_value

MarioHewardt commented 1 year ago

Thanks for reporting this. I've been a bit back logged but hopefully I can look into this in the next couple of weeks.

0xab3d commented 7 months ago

Any updates on this?

MarioHewardt commented 7 months ago

Hi @0xab3d - Thanks for checking in. We haven't implemented this yet as we're currently busy with other infrastructure work. I will keep everyone updated once we get to this.