Closed cristiancamps93 closed 1 year ago
SirStephanikus
commented
1 year ago It is a bug, see also the various other posted issues. Microsoft at its best, advertising that something runs (in your case under RHEL/CentOS/Rocky) but it crashes immediately.
Even the documentation mentiones stuff like WMI and REGESTRY ON A LINUX MACHINE!
MarioHewardt
commented
1 year ago @cristiancamps93 We are aware of the issue you mention on some distributions. I have a fix for that specific issue and if you want to give it a try it's available here - https://github.com/MarioHewardt/SysinternalsEBPF/tree/fixloader. Please note that I am also investigating a bug where a lot of the event fields are empty on RH so the fix I mentioned above may get Sysmon running but you may end up with some of the fields empty.
@SirStephanikus Sysmon for Linux and Sysmon for Windows share some common code to enable a consistent experience. If there are specific sections of the documentation that you feel are confusing (in terms of Windows construct), please let me know and I can see about reworking those parts.
cristiancamps93
commented
1 year ago @MarioHewardt thanks a lot for the input. I will take a look as soon as I can. Let's hope this issue gets fixed soon.
MaliPerica
commented
1 year ago @cristiancamps93 We are aware of the issue you mention on some distributions. I have a fix for that specific issue and if you want to give it a try it's available here - https://github.com/MarioHewardt/SysinternalsEBPF/tree/fixloader. Please note that I am also investigating a bug where a lot of the event fields are empty on RH so the fix I mentioned above may get Sysmon running but you may end up with some of the fields empty.
@SirStephanikus Sysmon for Linux and Sysmon for Windows share some common code to enable a consistent experience. If there are specific sections of the documentation that you feel are confusing (in terms of Windows construct), please let me know and I can see about reworking those parts.
Is it possible to set version to 1.0.2., because when generating package version is set to 0.0.0.0 and prereq for sysmon instalation is ebpf 1.0.2.
MarioHewardt
commented
1 year ago You should be able to set the VERSION environment variable prior to building.
MarioHewardt
commented
1 year ago Closing as I've pushed a fix that should resolve the issue. If you encounter it again, please reopen.
Tried already with Ubuntu 20.04 and Debian 11 and no issues found.
However, when it comes to CentOS 8 I get the following error: "Job for sysmon.service failed because the control process exited with error code" "see systemctl status network service and journalctl xe for details"
After disabling Selinux the issue persists.
Systemctl output:
Journal output:
I guess here is about a permissions issue related with libbpf or //sysmonEBPFkern. However, in the installation steps there this issue is not considered and the CentOS I am using is a clean new virtual device installation with no modifications.
Thanks in advance, Cristian