sysmon-config
sysmon-config copied to clipboard
SwiftOnSecurity
DNSQuery EID not found in event viewer
OS: windows 7 x64
OS Version: 6.1.7601 Service Pack 1 Build 7601
I downloaded sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
I tried many times installation and uninstallation, and it still doesn't show any EID:22, yes, I did visit many many urls from chrome.
Does anyone has the same confusion?
OS: windows 7 x64 OS Version: 6.1.7601 Service Pack 1 Build 7601I downloaded sysmon from https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
I tried many times installation and uninstallation, and it still doesn't show any EID:22, yes, I did visit many many urls from chrome.
Does anyone has the same confusion?
Same here, I presume you enabled the DNS Client Events logs? I did and still no Event ID 22 in Sysmon logs. I've been hacking at it a bit of the day. I've not worked with Sysmon configs in the past and figured I was just messing something up (or forgetting to enable something).
Hello This was reported to us by a customer earlier today and in their environment at least was caused by a comment immediately after the RuleGroup Element
And was resolved by removing the comment line above.
If this fails to resolve the issue in your environment could you email your config to [email protected] and I will take a look for you.
Regards
Mark Cook (MSFT)
my OS is win7, and config file loaded is z-AlphaVersion.xml , but no any DNS query event logged. i didnot find "sha256,sha1,IMPHASH" which commented by @analyze-v in z-AlphaVersion.xml , so that the issue still there,
Sorry that was a copy and paste error on my part
You need to remove the comment immediately after the RuleGroup element in the config (In this example the line that includes SYSMON EVENT ID 22 : DNS EVENT LOGGING)
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!--SYSMON EVENT ID 22 : DNS EVENT LOGGING-->
<DnsQuery onmatch="exclude">
<!--Network noise-->
Sorry that was a copy and paste error on my part as the relevant config extracts I pasted in were mis-interpreted as content tags.. I updated the forum comment but what you need to remove is the comment line that immediately follows the RuleGroup tag (the one that includes SYSMON EVENT ID 22: DNS EVENT LOGGING)
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<!--SYSMON EVENT ID 22 : DNS EVENT LOGGING-->
<DnsQuery onmatch="exclude">
<!--Network noise-->
Regards
Mark
From: Vita Zhao [email protected] Sent: Tuesday, June 25, 2019 3:26 AM To: SwiftOnSecurity/sysmon-config [email protected] Cc: Mark Cook [email protected]; Mention [email protected] Subject: Re: [SwiftOnSecurity/sysmon-config] DNSQuery EID not found in event viewer (#79)
my OS is win7, and config file loaded is z-AlphaVersion.xml , but no any DNS query event logged. i didnot find "sha256,sha1,IMPHASH" which commented by @analyze-vhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fanalyze-v&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629321930&sdata=NYPxktcib7%2FHvMAud8Bp8AWtbTqxbqvNVKQGKc1pDyE%3D&reserved=0 in z-AlphaVersion.xml , so that the issue still there,
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSwiftOnSecurity%2Fsysmon-config%2Fissues%2F79%3Femail_source%3Dnotifications%26email_token%3DAKJ6QDZZLNDWC4W65NHDFOTP4F63TA5CNFSM4HXZHT62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOYWVY%23issuecomment-505252695&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629321930&sdata=Ivoxt%2FG0FUKpf5ovThCzNssWX%2FisFwdqDpZ2SLGt4qk%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKJ6QD7BR7HQADG3ECXEY7LP4F63TANCNFSM4HXZHT6Q&data=02%7C01%7Cmarcook%40microsoft.com%7Ceff32763c8334abab5d508d6f9147767%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636970263629331925&sdata=I6mmQh%2B6Xx67vqQ4gPkIDyS8Ra4Imx3uro9zGrIAXQI%3D&reserved=0.