SysmonForLinux
SysmonForLinux copied to clipboard
Sysinternals
EventID=3 Source and DestinationHostname not resolved?
Describe the bug We are not able to resolve SourceHostname and DestinationHostname in Evt.3 the same way it is done in Sysmon for Windows..
have tried to add <DnsLookup>true</DnsLookup> to the .xml but the log only shows "-" All IP's are manually resolvable from the OS
To Reproduce Look for Source and destination hostname in EventID=3 ?
Sysmon version Version 1.3.3
Distro/kernel version Red Hat Enterprise Linux 8.10 (Ootpa) Ubuntu 20.04.6 LTS
Sysmon configuration Since DNS lookup should (in the windows version at least) be enabled by default..? have also tried with <DnsLookup>true</DnsLookup> with no result.
Logs Oct 7 16:32:19 Server1 sysmon[1569566]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2024-10-07T14:32:19.670711000Z"/><EventRecordID>1106903</EventRecordID><Correlation/><Execution ProcessID="1569566" ThreadID="1569566"/><Channel>Linux-Sysmon/Operational</Channel><Computer>server1.domain.local</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2024-10-07 14:32:19.673</Data><Data Name="ProcessGuid">{c30c9345-59f2-6703-b805-bfc8d8550000}</Data><Data Name="ProcessId">2898441</Data><Data Name="Image">+/usr/libexec/sssd/sssd_be</Data><Data Name="User">root</Data><Data Name="Protocol">udp</Data><Data Name="Initiated">false</Data><Data Name="SourceIsIpv6">false</Data><Data Name="SourceIp">10.1.1.1</Data><Data Name="SourceHostname">-</Data><Data Name="SourcePort">53</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">10.2.2.2</Data><Data Name="DestinationHostname">-</Data><Data Name="DestinationPort">47348</Data><Data Name="DestinationPortName">-</Data></EventData></Event>
Expected behavior Sysmon should resolve hostname from IP and place result i log.. Like: <Data Name="SourceIp">10.1.1.1</Data><Data Name="SourceHostname">Server1.domain.local</Data><Data Name="SourcePort">53</Data><Data Name="SourcePortName">-</Data><Data Name="DestinationIsIpv6">false</Data><Data Name="DestinationIp">10.2.2.2</Data><Data Name="DestinationHostname">Server2.domain.local</Data><Data Name="DestinationPort">47348</Data><Data Name="DestinationPortName">-</Data></EventData>
Additional context
