sysmonforlinux

[hodan112]

Hello everyone,
I’m currently working with Security Onion 2.4.110, and I’m trying to integrate SysmonForLinux logs for hunting. However, I’m having some difficulty with parsing these logs properly for analysis in Security Onion.

SysmonForLinux Log Parsing:

I’ve installed SysmonForLinux and configured it to send logs to elasticsearch. But I’m struggling to properly parse and visualize these logs for effective threat hunting.

Question: What are the best practices or steps to properly parse SysmonForLinux logs in elasticsearch? Are there specific configurations or processors I need to set up in order to effectively analyze these logs?

Any guidance, tips, or documentation links would be greatly appreciated!

Thank you in advance for your help!

Best regards,
Hodan Dirieh

[dougburks]

Have you tried the Elastic Agent for Linux? It provides much of the same hunting capability as sysmon logs.

https://docs.securityonion.net/en/2.4/downloads.html
https://docs.securityonion.net/en/2.4/elastic-agent.html

[defensivedepth]

Greetings @hodan112 - to be clear, you are seeing the logs correctly ingested now?

[hodan112]

Yes, the logs have been ingested correctly, and we can see them in Kibana, but they are in XML format.

[defensivedepth]

They are being ingested, but not correctly. Please post the elastic agent integration configuration that is being used.

[hodan112]

I created this ingestion pipeline: https://gist.github.com/mttaggart/efc870e02eb603943e0dae8ebd54d3dc

and I added a configuration to the elastic-agent.yml file. Here’s the configuration used:

Let me know if adjustments are needed.

[hodan112]

still waiting

[hodan112]

Hello @defensivedepth ,
Thank you for your assistance, I have successfully mapped the Sysmon for Linux logs.

However, I would appreciate your feedback to confirm if the method I used is correct or if there are other alternatives.
Process:

1.Logs from Linux systems are collected through the "system" integration, which parses the system syslog logs using the "logs-system.syslog" pipeline.
2.I applied a custom pipeline to parse only the XML field, which is renamed to "message." This pipeline is specifically designed to process this XML field.

I would greatly appreciate it if you could confirm whether this approach is correct or if there are other options to consider.