Support for running Sysmon from CLI/interactive inside a container or AKS cluster

[avwsolutions]

Sysmon helps to extract a lot of information using EBPF. This also could work inside your Kubernetes (AKS Support) cluster. Currently the blocking issue is that we need to install sysmon with '-i' which tries to configure systemd. Systemd is not available in Docker.

It would be better to execute it as a CLI interactive tool, so we can run this inside a container, so we potentially can use this as daemonset on the AKS worker nodes to extract information what happens inside the cluster. Familiar use case is implemented within Falco.

[kesheldr]

If you use '-i -service' then it won't attempt to install itself or configure systemd/initd. It will need the /opt/sysmon directory to already exist however. I will add a new switch that does the standard installation but without the systemd/initd part. Let me know in the mean time if '-service' helps in a container or AKS cluster.

[spencerroth3]

Hi @kesheldr was this new switch ever added? I am attempting to run Sysmon in a docker container and still facing this same issue of it requiring systemd even with using the ‘-i -service’ switches. Thanks!