Sysmon Logs
Overview
Section titled “Overview”Evidence: Sysmon Logs
Description: Collect Sysmon Logs.
Category: System
Platform: linux
Short Name: sysmon
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Sysmon for Linux is a security monitoring tool that provides detailed information about system activity including process creation, network connections, and file system changes. It generates comprehensive logs that are essential for threat detection, incident response, and security analysis on Linux systems.
Data Collected
Section titled “Data Collected”This collector gathers structured data about sysmon logs.
Sysmon Logs Data
Section titled “Sysmon Logs Data”| Field | Description | Example |
|---|---|---|
FilePath | File Path | Example value |
Name | Name | Example value |
Size | Size | 123.45 |
SourcePath | Source Path | Example value |
Collection Method
Section titled “Collection Method”This collector parses Sysmon logs from /var/log/syslog and extracts structured event data. It processes Sysmon-specific log entries and converts them into a structured format for analysis.
Forensic Value
Section titled “Forensic Value”Sysmon logs are invaluable for forensic investigations as they provide detailed system activity timelines including process creation with hashes, network connections, file modifications, and other security-relevant events. This data helps investigators reconstruct attack sequences, identify malicious activities, track lateral movement, and understand the full scope of security incidents on Linux systems.