Sysmon for Agent Linux?

58 views
Skip to first unread message

TheLotus 24

unread,
May 15, 2024, 11:31:40 PMMay 15
to Wazuh | Mailing List
Hello Everyone, is there any documentation that explains how to implement sysmon to the agents in Linux Ubuntu and capture the events and see them in the Wazuh dashboard?

Md. Nazmur Sakib

unread,
May 16, 2024, 1:14:15 AMMay 16
to Wazuh | Mailing List

Hi TheLotus,


Sysmon is not so powerful tool when it comes to logging events in Linux as compared to Sysmon on Windows. That is why it is not that popular for Linux-based systems. Linux has other powerful event logging tools like auditd. I would suggest you check those. 

https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/

https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html



If you still want to explore Sysmon on Linux and forward the Sysmon-Linux log to Wazuh. You can follow this guideline.


Install Sysmon on Linux by following this document:

https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md


After installation, the Sysmon logs can be found inside /var/log/syslog


You can check the Sysmon log using this filter.


sudo tail -f /var/log/syslog | grep "Linux-Sysmon"


This will provide Sysmon logs smaller to this


May 16 04:40:43 ubuntu20 sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2024-05-16T04:40:43.637254000Z"/><EventRecordID>507</EventRecordID><Correlation/><Execution ProcessID="58985" ThreadID="58985"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ubuntu20</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2024-05-16 04:40:43.642</Data><Data Name="ProcessGuid">{63ed527c-8e4b-6645-f517-888d4c560000}</Data><Data Name="ProcessId">59423</Data><Data Name="Image">/usr/bin/dash</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">sh -c &quot;$@&quot; &gt;/dev/null 2&gt;&amp;1 -- /usr/sbin/zsysctl userdata create sakib /home/sakib</Data><Data Name="CurrentDirectory">/home/ubuntu20</Data><Data Name="User">root</Data><Data Name="LogonGuid">{63ed527c-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">3</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20</Data><Data Name="ParentProcessGuid">{63ed527c-8e4b-6645-5d83-4fbdf1550000}</Data><Data Name="ParentProcessId">59408</Data><Data Name="ParentImage">/usr/bin/perl</Data><Data Name="ParentCommandLine">/usr/bin/perl</Data><Data Name="ParentUser">root</Data></EventData></Event>





The /var/log/syslog file is already monitored by Wazuh. Next, you just need to write custom decoders and rules based on these logs to trigger alerts on the Dashboard.


Check this document if you need help with catering decoders and rules:

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

https://documentation.wazuh.com/current/user-manual/ruleset/index.html



Let me know if you need any further information or assistance.

Md. Nazmur Sakib

unread,
May 19, 2024, 11:19:13 PMMay 19
to Wazuh | Mailing List
Hi TheLotus,

Let me know if you need any further information.
Reply all
Reply to author
Forward
0 new messages