Sysmon Network activity

95 views

Skip to first unread message

Sanjay Rajak

unread,

Feb 12, 2018, 7:44:27 AM2/12/18

to Wazuh mailing list

Hello,

I am using wazuh 2.1.1_5.6.3.ova, i wanted to monitor host network activity using sysmon config of swiftonsecurity. I am getting host network activity log in the windows/sysmon log, but on wazuh server in alerts.json i don't see any network activity log from the host. What am i missing here.

Regards.

alberto....@wazuh.com

unread,

Feb 12, 2018, 9:24:17 AM2/12/18

to Wazuh mailing list

Hello Sanjay

Did you add the agent configuration in order to have the Sysmon logs into the manager? For that, this configuration must be added to the ossec.conf file:

<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Then, an additional configuration into the Manager could be needed. Please see this link in which we explain how to configure Sysmon and Wazuh Manager:

https://blog.wazuh.com/using-wazuh-to-monitor-sysmon-events/

Please let us know if you still have doubts.

Best regards,

Reply all

Reply to author

Forward

0 new messages