mavjs
commented
3 years ago - [ ] Installation walk-through
- [ ] SELinux on RHEL/Fedora
- [ ] Output to custom log file for easier ingestion
- [ ] Short demo (using MSTIC rule)
Open mavjs opened 3 years ago
mavjs
commented
3 years ago mavjs
commented
3 years ago Credits to teapot on Open Threat Research discord who came up with:
# cat /etc/rsyslog.d/10-sysmon.conf
template(name="noheader" type="string"
string="%rawmsg%\n")
if $programname == 'sysmon' then {
action(type="omfile" file="/var/log/sysmon/sysmon.log" template="noheader")
~
}
# cat /etc/logrotate.d/sysmon
/var/log/sysmon/*.log {
rotate 7
daily
missingok
create
delaycompress
compress
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}