sysmonforlinux

[hodan112]

Hello everyone,
I’m currently working with Security Onion 2.4.110, and I’m trying to integrate SysmonForLinux logs for hunting. However, I’m having some difficulty with parsing these logs properly for analysis in Security Onion.

SysmonForLinux Log Parsing:

I’ve installed SysmonForLinux and configured it to send logs to elasticsearch. But I’m struggling to properly parse and visualize these logs for effective threat hunting.

Question: What are the best practices or steps to properly parse SysmonForLinux logs in elasticsearch? Are there specific configurations or processors I need to set up in order to effectively analyze these logs?

Any guidance, tips, or documentation links would be greatly appreciated!

Thank you in advance for your help!

Best regards,
Hodan Dirieh

[dougburks]

Have you tried the Elastic Agent for Linux? It provides much of the same hunting capability as sysmon logs.

https://docs.securityonion.net/en/2.4/downloads.html
https://docs.securityonion.net/en/2.4/elastic-agent.html

[hodan112]

Hello ,
I have integrated SysmonForLinux logs into Elasticsearch, and I’m already using Elastic Agent for log ingestion. The logs are being ingested correctly in XML format, and I would like to know if it is possible to process and apply playbooks or analytical rules to these logs for enhanced threat hunting.

[defensivedepth]

Greetings @hodan112 - to be clear, you are seeing the logs correctly ingested now?