sysmon error schema
182 views
Skip to first unread message
German DiCasas
Oct 29, 2024, 5:15:06 PM10/29/24
to Wazuh | Mailing List
Hi team,
I want to implement sysmon events to wazuh but I get error. I use this doc: https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/?highlight=sysmon
Sysmon64.exe -accepteula -i sysconfig.xml
System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 3.30
Sysmon schema version: 4.90
Error: Incorrect or unsupported schema version 3.30. Current Sysmon schema version 4.90
Usage:
Install: Sysmon64.exe -i [<configfile>]
Update configuration: Sysmon64.exe -c [<configfile>]
Install event manifest: Sysmon64.exe -m
Print schema: Sysmon64.exe -s
Uninstall: Sysmon64.exe -u [force]
-c Update configuration of an installed Sysmon driver or dump the
current configuration if no other argument is provided. Optionally
take a configuration file.
-i Install service and driver. Optionally take a configuration file.
-m Install the event manifest (done on service install as well)).
-s Print configuration schema definition of the specified version.
Specify 'all' to dump all schema versions (default is latest)).
-u Uninstall service and driver. Adding force causes uninstall to proceed
even when some components are not installed.
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System event log.
Use the '-? config' command for configuration file documentation. More examples are available on the Sysinternals website.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.
Sysmon64.exe -accepteula -i sysconfig.xml
System Monitor v15.15 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Loading configuration file with schema version 3.30
Sysmon schema version: 4.90
Error: Incorrect or unsupported schema version 3.30. Current Sysmon schema version 4.90
Usage:
Install: Sysmon64.exe -i [<configfile>]
Update configuration: Sysmon64.exe -c [<configfile>]
Install event manifest: Sysmon64.exe -m
Print schema: Sysmon64.exe -s
Uninstall: Sysmon64.exe -u [force]
-c Update configuration of an installed Sysmon driver or dump the
current configuration if no other argument is provided. Optionally
take a configuration file.
-i Install service and driver. Optionally take a configuration file.
-m Install the event manifest (done on service install as well)).
-s Print configuration schema definition of the specified version.
Specify 'all' to dump all schema versions (default is latest)).
-u Uninstall service and driver. Adding force causes uninstall to proceed
even when some components are not installed.
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System event log.
Use the '-? config' command for configuration file documentation. More examples are available on the Sysinternals website.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.
Seem to be that is aproblem over the schema. I used the doc. Do you have any fix or new doc related?
Thanks
German
Leonardo Daniel Sancho
Oct 29, 2024, 6:29:54 PM10/29/24
to Wazuh | Mailing List
Hello German DiCasas, I'll run some tests in a lab environment to try and replicate this issue, once this is done I'll return with an answer.
Have a great day!
German DiCasas
Oct 31, 2024, 9:48:43 AM10/31/24
to Wazuh | Mailing List
Hi Leonardo,
OK, let me know what you need. Time before that worked for my but now get error of schemma.
Regards.
German
German DiCasas
Nov 4, 2024, 10:52:29 AM11/4/24
to Wazuh | Mailing List
Leonardo,
Let mek now please...
Reagards
German
German DiCasas
Nov 7, 2024, 11:41:29 AM11/7/24
to Wazuh | Mailing List
Leonardo,
Any path for this error?
Reagrds,
German
Message has been deleted
Md. Nazmur Sakib
Nov 8, 2024, 2:21:35 AM11/8/24
to Wazuh | Mailing List
Hi German,
Sorry for interrupting,
If you are following this blog
https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/?highlight=sysmon
This is a very old blog, which was released back on May 30th, 2017.
It seems the schema version 3.30 is not supported anymore in the newer version of Sysmon.
You can follow our other documents on Sysmon.
https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/
You can just edit the sysconfig.xml and change the
<Sysmon schemaversion="3.30">
To
<Sysmon schemaversion="4.90">
And it should work
You can also use these rules of Sysmon as an example.
You can also check these resources:
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/SwiftOnSecurity/sysmon-config
I hope you find this information useful.
German DiCasas
Nov 8, 2024, 4:53:01 PM11/8/24
to Wazuh | Mailing List
Thanks... work perfect
Regards
German
Leonardo Daniel Sancho
Nov 25, 2024, 5:37:39 PM11/25/24
to Wazuh | Mailing List
Hello German DiCasas, apologies for the delay, after running some tests, the first article that you were trying was in fact very old, this was repleaced with a new one that actually seems to be working correctly (this was the core of the tests in a lab environment), the new article alongside the testing methodology can be found here:
Learn to detect threats on Windows by monitoring Sysmon events | Wazuh
The tests were performed on the latest stable version of Windows 10.
Should you have further questions, feel free to create a new topic.
Have a great day!
Reply all
Reply to author
Forward
0 new messages