SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

centos 8 Image and CommandLine returned in null values

Open frkn4129 opened this issue 3 years ago • 6 comments

I want to install sysmon on Centos 8 . for centos 8 i did the following steps but Null values ​​are returned in /var/log/messages. How did you do? can you help me?

Centos 8

Register Microsoft key and feed sudo rpm -Uvh https://packages.microsoft.com/config/centos/8/packages-microsoft-prod.rpm Install SysmonForLinux sudo dnf install sysmonforlinux

example log from /var/log/messages

Jan 6 09:58:15 localhost sysmon[1861664]: <Event><System><Provider Name="Linux-Sysmon" Guid="{fd293-a1d3-4f13-b0d6-01fc80f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x800000000000000</Keywords><TimeCreated SystemTime="2022-01-06T09:51:15.175756000Z"/><EventRecordID>358070</EventRecordID><Correlation/><Execution ProcessID="1861664" ThreadID="1861664"/><Channel>Linux-Sysmon/Operational</Channel><Computer>localhost.localdomain</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2022-01-06 06:58:15.177</Data><Data Name="ProcessGuid">{4f20d11a-4478-61d5-0000-000000000000}</Data><Data Name="ProcessId">188</Data><Data Name="Image">(null)</Data><Data Name="User">-</Data></EventData></Event>

frkn4129 avatar Jan 06 '22 07:01 frkn4129

I have been experiencing this issue on most RHEL-compatible distributions I've tried (the exception being Oracle Linux, which works). Fresh installs of Rocky Linux, CentOS 8, and CentOS Stream 8 all experience this same behavior of not populating most fields. One thing these also have in common is that the get_offsets module must be compiled and run manually to start sysmon

Djent- avatar Jan 07 '22 19:01 Djent-

@Djent- thank u for thank you for answering. Can you help me compiled and run the get_offset module manually? I followed the below steps cd /opt/sysinternalsEBPF/getOffsets/ make make conf > /opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf systemctl start sysmon.service

Other What steps do I need to follow ?

frkn4129 avatar Jan 09 '22 18:01 frkn4129

@frkn4129 It's no use. It doesn't help. RHEL and derivatives are included in the INSTALL.md, but are not supported https://github.com/Sysinternals/SysinternalsEBPF/issues/2#issuecomment-954290414

Djent- avatar Jan 10 '22 16:01 Djent-

Is there any other solution method?

frkn4129 avatar Feb 01 '22 07:02 frkn4129

Hey all, just FYI Centos 8 has been EOLed since 21st Dec 2021 - https://www.centos.org/news-and-events/1322-october-centos-dojo-videos/ CentOS 7, will not be EOL until 2024. It makes more sense to support CentOS 7 and CentOS Stream.

wuuutlol avatar Feb 04 '22 11:02 wuuutlol

Thanks for reporting this. We are aware that there are issues with Centos8/Stream (fails eBPF verification) and it is on our backlog. Centos7 is not supported as it runs a pretty old kernel that doesn't have the eBPF capabilities that we need for Sysmon.

MarioHewardt avatar May 13 '22 15:05 MarioHewardt

On some systems we are unable to auto discover the offsets required to populate the fields. On those systems, you need to run getOffsets which will create a config file that sysmon will use with the correct offsets.

https://github.com/Sysinternals/SysinternalsEBPF/blob/main/getOffsets/README.md

MarioHewardt avatar Jan 13 '23 23:01 MarioHewardt

Closing as I've pushed a fix that should resolve the issue. Please make sure to run getOffsets (https://github.com/Sysinternals/SysinternalsEBPF/tree/main/getOffsets) to get this to work on CentOS8.

Please note that you will have to build Sysmon until we get new packages out.

MarioHewardt avatar Jan 20 '23 01:01 MarioHewardt