Open in app

Sign in

Write

Sign in

Sysmon For Linux

Shreenkhala Bhattarai
4 min readFeb 5, 2024

Sysmon for Linux is a powerful system monitoring tool designed to give deep insights into the processes and activities occurring in Linux settings. Sysmon provides an extensive range of logging and monitoring features, giving system administrators the means to ensure system security and integrity. Sysmon makes proactive threat identification and response possible by tracking important system events such as file modifications, network connections, and process creations. Administrators can obtain significant insight into system activity by utilizing Sysmon's real-time monitoring capabilities. This allows for the timely detection and mitigation of any suspicious actions.

Organizations strengthen their defenses against malware infections, unauthorized access, and other security threats by integrating Sysmon into their Linux systems. Sysmon’s intricate logging methods make it possible to analyze system events in-depth, which helps with compliance audits and forensic investigations. Furthermore, Sysmon is a perfect fit for both small-scale deployments and big business systems because of its lightweight and efficient architecture, which guarantees little influence on system performance. Linux administrators may more effectively monitor, assess, and defend their systems against changing threats by using Sysmon, which also improves overall system security posture and resilience. It’s essential to note the current limitations of Sysmon for Linux, as not all event types are supported at the time of release.

Installation & Configuration

1. Install and configure Sysmon for Linux

Installation instructions for a range of Linux distributions are available on the official Microsoft Sysmon for Linux GitHub.

In this example, I install on Ubuntu 22.04

# 1. Register Microsoft key and feed
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.asc.gpg
sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/
wget -q https://packages.microsoft.com/config/debian/11/prod.list
sudo mv prod.list /etc/apt/sources.list.d/microsoft-prod.list
sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg
sudo chown root:root /etc/apt/sources.list.d/microsoft-prod.list

# 2. Install SysmonForLinux
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install sysmonforlinux

Once installed you can use Sysmon as you would on a Windows platform, e.g.,

$ sysmon -h

Sysmon v1.3.1 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Licensed under MIT/GPLv2
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Usage:
Install:                 sysmon -i [<configfile>]
Update configuration:    sysmon -c [<configfile>]
Print schema:            sysmon -s
Uninstall:               sysmon -u [force]
  -c   Update configuration of an installed Sysmon driver or dump the
       current configuration if no other argument is provided. Optionally
       take a configuration file.
  -i   Install service and driver. Optionally take a configuration file.
  -s   Print configuration schema definition of the specified version.
       Specify 'all' to dump all schema versions (default is latest)).
  -u   Uninstall service and driver. Adding force causes uninstall to proceed
       even when some components are not installed.
  -btf Use the specified standalone BTF file.
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Linux, events are stored in the Syslog, often found at /var/log/syslog.
Use the '-? config' command for configuration file documentation. More examples are available on the Sysinternals website.

Neither install nor uninstall requires a reboot.

In a similar fashion to the Windows version of Sysmon, we can use an XML configuration file during (or post) installation to tune as required.

💡Example configurations for Sysmon for Linux can be found on MSTIC Sysmon Resources:

https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/main.xml

In this example, I am using the default installation configuration.

$ sudo sysmon -i

Sysmon v1.3.1 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Licensed under MIT/GPLv2
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Created symlink /etc/systemd/system/multi-user.target.wants/sysmon.service → /etc/systemd/system/sysmon.service.

Sysmon for Linux will write to /var/log/syslog Ubuntu, and you can verify that logs are being generated by Sysmon by checking your syslog log:

sudo grep -i sysmon /var/log/syslog

Feb 04 8:26:35 debian sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2024-02-04 T8:26:35.489184000Z"/><EventRecordID>17</EventRecordID><Correlation/><Execution ProcessID="54611" ThreadID="54611"/><Channel>Linux-Sysmon/Operational</Channel><Computer>lin-01</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2024-02-04 8:26:35.494</Data><Data Name="ProcessGuid">{3724345b-168f-6551-2954-0b2b41560000}</Data><Data Name="ProcessId">54622</Data><Data Name="Image">/usr/bin/grep</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">grep -i sysmon /var/log/syslog</Data><Data Name="CurrentDirectory">/home/admin_altostrat_co</Data><Data Name="User">root</Data><Data Name="LogonGuid">{3724345b-0000-0000-0000-000000000000}</Data><Data Name="LogonId">0</Data><Data Name="TerminalSessionId">7</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">SHA256=5212564899a46d5c342f3f49b42587446794a5b06389942db3145154a3fcd5c8</Data><Data Name="ParentProcessGuid">{3724345b-168f-6551-2dea-da77eb550000}</Data><Data Name="ParentProcessId">54621</Data><Data Name="ParentImage">/usr/bin/sudo</Data><Data Name="ParentCommandLine">sudo</Data><Data Name="ParentUser">admin_1823127835827_altostrat_co</Data></EventData></Event>

As the Sysmon for Linux logging is written by default to the generic OS log, it will require using Regex Filtering while forwarding logs to any Syslog collector.

Event ID Numbers

As we may have noticed from the previous config snippet, there aren’t quite as many event IDs as there are in Windows, however, this is in the Similarities section. The similarities exist on the Event IDs that have been used from Windows keep the same Event IDs, meaning that a file creation is the same event ID across architectures. The table below shows the Event IDs which are used between Sysmon for Windows and Sysmon for Linux.

Cybersecurity
Threat Hunting
Sysmon
Infosec
Threat Detection

--

--

Shreenkhala Bhattarai

Written by Shreenkhala Bhattarai

89 Followers

Security Analyst at CryptoGen Nepal

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams