Can anyone help me?
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.
After installation Sysinternals Sysmon Utility logs can be found in Event Viewer -> Application and Services Logs -> Microsoft -> Sysmon -> Operational (OS MS Windows 2008 R2)
I want to receive this logs to McAfee ESM. I try to add logs as a data source but get this message:
Connection to standard windows logs is successful.
I have actually the same problem that the SIEM did not understand or able to get the from the new manifest that Sysmon created at the point of installation. This may be a bug. But, the way I got around that is to used event forwarding to an event collector. Here's a link Setting up a Source Initiated Subscription (Windows) .This also helps when you want to deploy to a larger audience. In my case, when creating a subscription I had to save the logs to Applications. Then have the SIEM grab the logs from Application.
I have the SIEM agent on all my end devices and do not have any problems obtaining the sysmon logs as I can choose which Windows Event logs I want to collect in the agent. The problem I do have, is the SIEM does not parse the data correctly and therefore is not showing me data I want to see when I do filters and reports. Anyone have any ideas on this?
This is the way to do it.
Step 1: You should install Sysmon on all computers.
Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".
Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.
Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.
Step 5: Enable JSON parser on the device policy.