1 Reply Latest reply on May 31, 2017 2:24 PM by anton2016

    Sysinternals Sysmon

    souljoy

      Hello,

       

      Anyone has found a way to integrate Sysmon logs with ESM other than the one mentioned below.

       

      Step 1: You should install Sysmon on all computers.

      Step 2: Configure Windows Event Subscription on central Windows server to pull all Sysmon logs from clients and store in "Forward Events".

      Step 3: Install on this Windows Server "NX Log Free Edition" and configure it to send Syslog in JSON format to McAfee SIEM.

      Step 4: Create new device with IP on that Windows Server and enable Generic Syslog support.

      Step 5: Enable JSON parser on the device policy.

       

       

      Please let me know if you found a different way to integrate.

       

       

      Thanks,

      Soul Joy

        • 1. Re: Sysinternals Sysmon
          anton2016

          I would love to see a "Sysmon Content Pack" from the SIEM. The method you described above is a great way to get Sysmon logs into the SIEM. I wanted to get these types of logs into the SIEM as well but without any additional software installation - ie NX Log.

           

          My solution was to write a small PowerShell script which scraped the Sysmon Event logs and outputted them in a custom format for which I wrote a custom parser for. This took a lot of work but gave me a lot of control over exactly what I wanted to log and in what format.

           

          Ideally there would be a way for the SIEM to natively collect these logs like it does the security and application logs.