Skip to main content
Skip table of contents

Syslog - Sysmon for Linux (XML)

Device Details

Device Name

Sysmon for Linux

Vendor

Linux

Device Type

Sysmon for Linux

Supported Model Name/Number

N/A

Supported Software Version

N/A

Collection Method

Syslog

Configurable Log Output

XML

Log Source Type

Syslog - Sysmon for Linux (XML)

Log Processing Policy

LogRhythm Default V 2.0

Exceptions

N/A

Additional Information

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://in.security/2021/10/18/getting-started-with-sysmon-for-linux/

Support for Sysmon for Linux logs:

Log Source Type - "Syslog - Sysmon for Linux (XML)" is designed to work directly with logs ingested via the Syslog mechanism from Linux systems, without the need for any additional log forwarder. In case you are using a third-party forwarder to send logs through Syslog, then you should use the LSV (Log Source Virtualization) template to filter Sysmon for Linux logs. After filtering, ensure the logs are directed to the dedicated LST: Syslog - Sysmon for Linux (XML).

Identifier Regex for creation of LSV template for Sysmon for Linux logs: <Provider\sName="Linux\-Sysmon"

For more information, see Log Source Virtualization.

Supported Log Messages

(List of LR tags used to parse the log information for each message type)

Type

Product Version

Supported Schema Fields

Catch-All

N/A

<vmid>, <dname>

EVID 1: Process Created Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <process>, <command>, <domainorigin>, <login>, <session>, <hash>, <parentprocessid>, <parentprocesspath>, <parentprocessname>, <object>

EVID 3: Network Connect Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <process>, <domainorigin>, <login>, <protname>, <sip>, <sname>, <sport>, <dip>, <dport>

EVID 4: Service State Change Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <status>, <tag1>, <version>

EVID 5: Process Terminate Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <process>, <domainorigin>, <login>

EVID 9: Raw Access Read Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <process>, <object>, <domainorigin>, <login>

EVID 11: File Create Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <process>, <objectname>, <domainorigin>, <login>

EVID 16: Service Configuration Change Log Message

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>, <hash>

EVID 23: File Delete Log Messages

N/A

<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <policy>, <processid>, <domainorigin>, <login>, <process>, <objectname>, <hash>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.701.0

Syslog - Sysmon for Linux (XML)

New Device Documentation

N/A

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close