How do we ingest sysmon logs via osquery? #1697
-
|
I'm aware there's some logic in the osquery packs results parser that will tag sysmon logs for further processing using a sysmon specific pipeline. What does a pack and queries look like to do this, assuming osquery/launcher is properly configured to access the proper Windows events logs. Is it snapshot or differential? Anything else special to do? What about sysmon configs on the host? Query something like this?: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I have added a section in our documentation about this: https://docs.securityonion.net/en/2.3/osquery.html#shipping-windows-eventlogs RE: anything special? No - Just install sysmon on the host with whatever config you want and configure the query as specified in the docs - keep in mind it could take up to 15min to start shipping the logs, as osquery checks in with Fleet every 10min to see if there is a config change (ie new scheduled query) |
Beta Was this translation helpful? Give feedback.
I have added a section in our documentation about this:
https://docs.securityonion.net/en/2.3/osquery.html#shipping-windows-eventlogs
RE: anything special? No - Just install sysmon on the host with whatever config you want and configure the query as specified in the docs - keep in mind it could take up to 15min to start shipping the logs, as osquery checks in with Fleet every 10min to see if there is a config change (ie new scheduled query)