Closed hoanga2dtk68 closed 2 months ago
Hello,
The easiest way to find a fix would be for you to share your log file to check exactly what is happening.
If you cannot share your log file (something I can understand), you can use —debug
and check the zircolite.log
file.
But from what I can see in your screenshot, I think your /var/log/syslog does not contains only sysmon for linux events which can be the source of the error.
yes, link drive google: https://drive.google.com/file/d/1UKIVmpxrE2roCu51_9inYkqzD0a1ujGV/view?usp=sharing Thank you.
There is also a problem when logs overlap with other log sources sysmon4linux
do you have a way to separate and use your tool?
Thanks I will check your log to find the problem and I will try to answer your questions.
Thanks, looking forward to hearing from you soon.
From what I have seen, the problem comes, as expected, from the /var/log/syslog
file that contains different log types (System events and Sysmon for Linux events). The easiest way to handle it is outside Zircolite : you only keep the sysmon related lines in /var/log/syslog
and copy them to another file:
grep "kali sysmon:" /var/log/syslog > Sysmon4Linux.log
python3 zircolite.py --events Sysmon4Linux.log --rules rules/rules_linux.json
Please note that you can also have the ugly default XML logs converted to JSON (1 event per line) for free if you add the --keeptmp
option. The resulting JSON files will be available in a directory named like this : tmp-XXXXXXXX
.
With the default linux ruleset (not the greatest...) it should give you something like this :
i see some problems when the rule doesn't catch the actual webshell command. the commands i use is ls -lah
I get list index out of range error when using feature with sysmon4linux
Is there any way to fix this?