SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Support for Alternative Log Format such as JSON

Open SMAPPER opened this issue 3 years ago • 12 comments

Is it possible for this project to get JSON support? Windows Sysmon with XML is auto-handled by most log agents to abstract the XML parsing away. However, Linux log agents do not account for this. While I don't think it's a huge deal I believe it would help the community more readily consume these logs if they supported other log formats outside of XML.

Examples:

  • JSON
  • key-value pairs (base pairs or a standard like LEF, LEEF, or CEF)

Regardless, in its current format, Sysmon for Linux is a huge blessing to the community regardless of the above. I'm just submitting this as a possible feature request.

SMAPPER avatar Oct 15 '21 00:10 SMAPPER

I'd be interested in json as well. I'd love to see it put on the roadmap

tbennett6421 avatar Oct 15 '21 06:10 tbennett6421

Would indeed be great to have JSON output, since this integrates far easier with OSS tools like Fluentd, fluentbit or Elastic Filebeat / Logstash.

avwsolutions avatar Oct 15 '21 20:10 avwsolutions

Thanks for the suggestion - others have suggested similar. I will raise it and see what interest there is internally.

kesheldr avatar Nov 03 '21 17:11 kesheldr

@SMAPPER i totally agree with your request here, from reading your input i get the idea that you may have a filebeat/vector.dev config that solves this with parsing perhaps already?

in my search for solving this i found this forum post on the filebeat forums that suggest one could use this filebeat processor but im a bit stomped as to what this will have to be implemented to not interfier with the rest of the json based logdata also being shipped from the syslog file. From what i can tell its all json exept the sysmon events that for the lack of a better word is a xml blob in the otherwise json formatted data is this correct?

looks like the "decode_xml_wineventlog" processer can be leveraged here, but i have not yet been able to build a working config around this.

https://github.com/elastic/integrations/issues/1930

ssi0202 avatar Nov 19 '21 09:11 ssi0202

@MarioHewardt giving this a bump based of the convo on twitter :)

twitter convo with @markrussinovich and @MarioHewardt

i would also suggest that we make an extra logfile so all the very nice sysmon log data is dumped into the syslog file itself.

ssi0202 avatar Dec 09 '22 08:12 ssi0202

Do you know if this feature could be considered? While I know it's possible to convert after the fact with other tools, it's less than ideal. The tool ideally would provide flexibility for easier integration within the community. JSON seems like a natural output format that many tools work with.

Regardless, I appreciate your efforts for this as Sysmon is great.

JustinHendersonSMAPPER avatar Feb 24 '23 16:02 JustinHendersonSMAPPER

This is a super interesting item that is on my backlog to investigate. At the moment, my plan for the short term is to address some of the more critical functional issues/bugs reported before I switch over to new features/capabilities.

MarioHewardt avatar Feb 24 '23 16:02 MarioHewardt

If someone has already solved this via other conversion tools I'd be super interested in learning more about it.

MarioHewardt avatar Feb 24 '23 16:02 MarioHewardt

Hi Mario,

I've been wanting something like this for a while.

Alternative ways of accomplishing the conversion would be using something like Filebeat's decode_xml_wineventlog processor, or Logstash's XML filter plugin, either through picking up events directly, or forwarding events via syslog.

@scudette submitted a pull request for this type of output, as well as socket output, a while back:

https://github.com/Sysinternals/SysmonForLinux/pull/50

As always, thanks for all of your work with Sysmon for Linux!

Thanks, Wes

weslambert avatar Feb 24 '23 17:02 weslambert

Thanks Wes. I've seen that PR but haven't had a chance to look through it yet due to other priorities.

MarioHewardt avatar Feb 24 '23 17:02 MarioHewardt

Really interested in this.

norandom avatar May 07 '23 13:05 norandom

This would be awesome and very needed feature, please add it!

matias624 avatar Sep 19 '23 08:09 matias624