Only seeing Event Types 1 and 5 (Process Creation/Termination)

[rgb44317]

I've installed SysmonForLinux on Ubuntu, but it only seems to be generating Process Create and Termination events. I've ran commands that created files, and network connections, but they only resulted in process creations. I've also installed it on Debian, same problem...

Any suggestions on what I need to change so I'm capturing all events?

Found the/my problem - the default config, config.xml does minimal data collection. Using https://gist.githubusercontent.com/Cyb3rWard0g/bcf1514cc340197f0076bf1da8954077/raw/293db31bb81c48ff18a591574a6f2bf946282602/SysmonForLinux-CollectAll-Config.xml instead of the default made all the difference

[MarioHewardt]

Glad you got it sorted out! Yes, by default only few select events are configured. There are a lot of good sources of Sysmon configuration files available online. Please note that at the moment Sysmon for Linux only supports a subset of the events of the Windows version.

[rgb44317]

Thank you, Mario for responding.

Perhaps you can shed light on another question that has come up... Sysmon For Linux writes a field called UtcTime, and I cannot figure out what this field represents. In the example below, the TimeCreated SystemTime" is the actual time of the command and matches the timestamp from syslog. But the UtcTime is about 5 days prior, far more than the UTC offset. Any thoughts on what this value refers to or its significance from a forensics perspective?

Mar 11 19:48:28 localhost sysmon: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID

5</EventID <Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords <TimeCreated SystemTime="2022-03-11T19:48:28.203878000Z"/><EventRecordID 1097444</EventRecordID><Correlation/><Execution ProcessID="796" ThreadID ="796"/><Channel>Linux-Sysmon/Operational</Channel><Computer>siftworkstation</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name=" UtcTime">2022-03-06 22:41:03.831</Data><Data Name="ProcessGuid">{59f199d6-387f-6225-8175-61b5e1550000}</Data><Data Name="ProcessId">359066</Data><Data Name="Image">/usr/bin/ls</Data><Data Name="User">sansforensics</Data></EventData></Event>

Thank you again,

Rob Blader, CFCE, CISSP DHS-CISA Host Forensic Section Support Digiflight, Inc. @.*** @.*** 202-394-7896

On Fri, May 13, 2022 at 11:17 AM Mario Hewardt @.***> wrote:

Glad you got it sorted out! Yes, by default only few select events are configured. There are a lot of good sources of Sysmon configuration files available online. Please note that at the moment Sysmon for Linux only supports a subset of the events of the Windows version.

— Reply to this email directly, view it on GitHub https://github.com/Sysinternals/SysmonForLinux/issues/60#issuecomment-1126167747, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXRRGM6BDYXNFAFJKQXIX5DVJZW7VANCNFSM5NG44F4Q . You are receiving this because you authored the thread.Message ID: @.***>

[MarioHewardt]

The UtcTime field should be the time in UTC when the underlying operation that generated the event occurred (which should also be the same as TimeCreated. Are you consistently seeing this and is there a pattern to when the problem occurs? E.g., does it happen on a clean start of Sysmon or only after Sysmon has been running for a while?

[MarioHewardt]

Looks like UtcTime is when the underlying operation that generated the event occured and TimeCreated is the time it was actually logged. The difference between them should be minimal and certainly a difference of days is incorrect. I haven't had much luck reproducing the issue so if you can provide any additional details that would be great.

[rgb44317]

Hi Mario,

Great to hear from you!

It seemed like about a month after I presented my findings to you, I also had trouble re-creating the UTC time issue. There was even a time where I saw that if I set my local timezone to UTC, the UtcTime was a few hours off. That went away after re-booting.

I'm very sorry (and embarrassed) about this... I'm wondering if there was some package update that corrected the issue I was seeing. This has me concerned because the bulk of my testing was done on that VM. I have a second VM with Sysmon installed with Phoronix Test Suite (I played with running performance benchmarks to see if/how sysmon impacted), and I will validate my findings on that system going forward, to try and avoid false alarms in the future.

I also saw your response regarding rule names that you sent to @.***, Subject: Re: [Sysinternals/SysmonForLinux] Problems logging rules (Issue #75). I had submitted before I knew about the collaboration between Microsoft and CISA. Do I just download the latest and follow the direction in the Build.md file that is on Github to compile/test it?

Thank you,

Rob Blader, CFCE, CISSP DHS-CISA Host Forensic Section DigiFlight, Inc. @.*** @.*** 202-394-7896

On Thu, Mar 16, 2023 at 6:12 PM Mario Hewardt @.***> wrote:

Looks like UtcTime is when the underlying operation that generated the event occured and TimeCreated is the time it was actually logged. The difference between them should be minimal and certainly a difference of days is incorrect. I haven't had much luck reproducing the issue so if you can provide any additional details that would be great.

— Reply to this email directly, view it on GitHub https://github.com/Sysinternals/SysmonForLinux/issues/60#issuecomment-1472825180, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXRRGM433263DMX3DD6XEVDW4OF3VANCNFSM5NG44F4Q . You are receiving this because you authored the thread.Message ID: @.***>

[MarioHewardt]

Hi Rob - no worries at all. If you end up seeing it again, just let me know. Yes, to test the rule names fix you can follow the instructions in BUILD.md. If you run into any issues, please let me know.

[rgb44317]

Thank you, will do! I'll dive into that next week.

-Rob

On Fri, Mar 17, 2023 at 11:42 AM Mario Hewardt @.***> wrote:

Hi Rob - no worries at all. If you end up seeing it again, just let me know. Yes, to test the rule names fix you can follow the instructions in BUILD.md. If you run into any issues, please let me know.

— Reply to this email directly, view it on GitHub https://github.com/Sysinternals/SysmonForLinux/issues/60#issuecomment-1474033321, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXRRGM65IZBRJGPFNXEH5FDW4SA67ANCNFSM5NG44F4Q . You are receiving this because you authored the thread.Message ID: @.***>

[MarioHewardt]

Hi - Closing for now. Please feel free to reopen if the issue persists.