Hi TheLotus,
Sysmon is not so powerful tool when it comes to logging events in Linux as compared to Sysmon on Windows. That is why it is not that popular for Linux-based systems. Linux has other powerful event logging tools like auditd. I would suggest you check those.
https://wazuh.com/blog/monitoring-root-actions-on-linux-using-auditd-and-wazuh/
https://documentation.wazuh.com/current/proof-of-concept-guide/audit-commands-run-by-user.html
If you still want to explore Sysmon on Linux and forward the Sysmon-Linux log to Wazuh. You can follow this guideline.
Install Sysmon on Linux by following this document:
https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md
After installation, the Sysmon logs can be found inside /var/log/syslog
You can check the Sysmon log using this filter.
sudo tail -f /var/log/syslog | grep "Linux-Sysmon"
This will provide Sysmon logs smaller to this
May 16 04:40:43 ubuntu20 sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2024-05-16T04:40:43.637254000Z"/><EventRecordID>507</EventRecordID><Correlation/><Execution ProcessID="58985" ThreadID="58985"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ubuntu20</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2024-05-16 04:40:43.642</Data><Data Name="ProcessGuid">{63ed527c-8e4b-6645-f517-888d4c560000}</Data><Data Name="ProcessId">59423</Data><Data Name="Image">/usr/bin/dash</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">sh -c "$@" >/dev/null 2>&1 -- /usr/sbin/zsysctl userdata create sakib /home/sakib</Data><Data Name="CurrentDirectory">/home/ubuntu20</Data><Data Name="User">root</Data><Data Name="LogonGuid">{63ed527c-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">3</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20</Data><Data Name="ParentProcessGuid">{63ed527c-8e4b-6645-5d83-4fbdf1550000}</Data><Data Name="ParentProcessId">59408</Data><Data Name="ParentImage">/usr/bin/perl</Data><Data Name="ParentCommandLine">/usr/bin/perl</Data><Data Name="ParentUser">root</Data></EventData></Event>
The /var/log/syslog file is already monitored by Wazuh. Next, you just need to write custom decoders and rules based on these logs to trigger alerts on the Dashboard.
Check this document if you need help with catering decoders and rules:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/index.html
Let me know if you need any further information or assistance.