cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM. How to take Sysinternals Sysmon Utility logs

Hello!

Can anyone help me?

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

After installation Sysinternals Sysmon Utility logs can be found in Event Viewer -> Application and Services Logs -> Microsoft -> Sysmon -> Operational (OS MS Windows 2008 R2)

I want to receive this logs to McAfee ESM. I try to add logs as a data source but get this message:

Connection to standard windows logs is successful.

Thanks,

Nikita

5 Replies

Re: McAfee SIEM. How to take Sysinternals Sysmon Utility logs

I have actually the same problem that the SIEM did not understand or able to get the from the new manifest that Sysmon created at the point of installation. This may be a bug. But, the way I got around that is to used event forwarding to an event collector. Here's a link Setting up a Source Initiated Subscription (Windows) .This also helps when you want to deploy to a larger audience. In my case, when creating a subscription I had to save the logs to Applications. Then have the SIEM grab the logs from Application.

paider
Level 7
Report Inappropriate Content
Message 3 of 6

Re: McAfee SIEM. How to take Sysinternals Sysmon Utility logs

I have the SIEM agent on all my end devices and do not have any problems obtaining the sysmon logs as I can choose which Windows Event logs I want to collect in the agent.  The problem I do have, is the SIEM does not parse the data correctly and therefore is not showing me data I want to see when I do filters and reports.  Anyone have any ideas on this?

Re: McAfee SIEM. How to take Sysinternals Sysmon Utility logs

This is the way to do it.

Step 1: You should install Sysmon on all computers.

Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".

Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.

Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.

Step 5: Enable JSON parser on the device policy.

POC

Untitled.png

Re: McAfee SIEM. How to take Sysinternals Sysmon Utility logs

Could you please explain what you mean by "Enable JSON parser on the device policy"? How can I do it?

Thank you!

Highlighted
McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: McAfee SIEM. How to take Sysinternals Sysmon Utility logs

Hi

i see you posted this a few times.  do you perhaps have the parser for me?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community