1 Reply Latest reply on May 31, 2017 2:24 PM by anton2016

    Sysinternals Sysmon




      Anyone has found a way to integrate Sysmon logs with ESM other than the one mentioned below.


      Step 1: You should install Sysmon on all computers.

      Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".

      Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.

      Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.

      Step 5: Enable JSON parser on the device policy.



      Please let me know if you found a different way to integrate.




      Soul Joy

        • 1. Re: Sysinternals Sysmon

          I would love to see a "Sysmon Content Pack" from the SIEM. The method you described above is a great way to get Sysmon logs into the SIEM. I wanted to get these types of logs into the SIEM as well but without any additional software installation - ie NX Log.


          My solution was to write a small PowerShell script which scraped the Sysmon Event logs and outputted them in a custom format for which I wrote a custom parser for. This took a lot of work but gave me a lot of control over exactly what I wanted to log and in what format.


          Ideally there would be a way for the SIEM to natively collect these logs like it does the security and application logs.