Parses syslog for Sysmon events on Linux
Reference: https://github.com/Sysinternals/SysmonForLinux
This artifact can also be modified to forward events (as a client event artifact), similar to Windows.Sysinternals.SysmonLogForward.
name: Linux.Sysinternals.Sysmon
author: Wes Lambert -- @therealwlambert
description: |
Parses syslog for Sysmon events on Linux
**Reference**: https://github.com/Sysinternals/SysmonForLinux
This artifact can also be modified to forward events (as a client
event artifact), similar to Windows.Sysinternals.SysmonLogForward.
type: CLIENT
precondition: SELECT OS From info() where OS = 'linux'
parameters:
- name: syslogPath
default: /var/log/syslog
- name: sysmonGrok
description: A Grok expression for parsing Sysmon events from syslog on Linux machines
default: >-
%{SYSLOGTIMESTAMP:Timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}: %{GREEDYDATA:event}
- name: StartDate
type: timestamp
description: "Parse events on or after this date (YYYY-MM-DDTmm:hh:ssZ)"
- name: EndDate
type: timestamp
description: "Parse events on or before this date (YYYY-MM-DDTmm:hh:ssZ)"
- name: IDRegex
default: "."
sources:
- queries:
# Basic syslog parsing via GROK expressions.
- LET UnparsedEvents = SELECT * FROM foreach(
row={
SELECT * FROM glob(globs=syslogPath)
}, query={
SELECT grok(grok=sysmonGrok, data=Line) AS Event,
FullPath
FROM parse_lines(filename=FullPath)
WHERE Event.program = "sysmon" AND Event.event =~ "<Event>"
})
- LET ParsedEvents = SELECT parse_xml(accessor='data', file=Event.event).Event AS Event FROM UnparsedEvents
- SELECT timestamp(string=Event.System.TimeCreated.AttrSystemTime) AS TimeCreated,
Event.System.EventID AS EventID,
Event.System.Channel AS _Channel,
Event.System.EventRecordID AS EventRecordID,
Event.System.EventID AS EventID,
Event.System.Computer AS Computer,
Event.System AS System,
to_dict(item={SELECT AttrName AS _key, `#text` AS _value FROM Event.EventData.Data}) AS EventData
FROM ParsedEvents
WHERE
if(condition=StartDate, then=TimeCreated >= timestamp(string=StartDate), else=true)
AND if(condition=EndDate, then=TimeCreated <= timestamp(string=EndDate), else=true)
AND str(str=EventID) =~ IDRegex