cancel
Showing results for 
Search instead for 
Did you mean: 

[Tip] Sysinternals Sysmon logs and parser

This is the way to do it.

Step 1: You should install Sysmon on all computers.

Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".

Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.

Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.

Step 5: Enable JSON parser on the device policy.

POC

Untitled.png

3 Replies
McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: [Tip] Sysinternals Sysmon logs and parser

Hi

Do you perhaps have the parser to share with me?

Re: [Tip] Sysinternals Sysmon logs and parser

Thank you for posting - I would caution anyone using this setup to double check the original Sysmon events and compare them against what the SIEM parses. You will find that the default parsers for events like ProcessCreate leave out critical information like parent processes etc - same goes for the parsing of 4688 events. To work around this we had to create our own application which pulls Sysmon logs and converts them to a flat text file to be ingested by the SIEM collector. 

McAfee Employee rlourenc
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: [Tip] Sysinternals Sysmon logs and parser

Hi

i have already done this now.  i am getting the messages in syslog format and then created custom parsers for it to work.  its excellent especially for things like hash information.  

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator