MICROSOFT
      Back to home
      1. KNOWLEDGE BASE
      2. DEVICE INTEGRATION
      3. MICROSOFT

      Windows Sysmon and NXLog

      In order to leverage on the OOTB usecases that are based on Windows SYSMON-PROCESS, SYSMON-NETWORK, SYSMON-FILE, SYSMON-IMAGE-LOAD, SYSMON-REGISTRY, SYSMON-WMI, SYSMON-PIPE, SYSMON-SERVICE and SYSMON-DNS, one must install this service on their Windows host. Failure to do so, will result in non functioning workbooks that have a prerequisite of installation of stated services.

      System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
      This docuemnt has been written for integration with 32 bit and 64 bit Windows machines.

      Integration of Microsoft Sysmon Logs with DNIF


      Install and Configure Windows Sysmon

      Sysmon is a command-line tool; once downloaded from the Microsoft Sysinternals web site the installation is straightforward: Open elevated (“Run as Administrator”) command line and execute the following command:

      $ Sysmon /?
      Two basic options are offered:

      • Set up the tool with default configuration

      • Define the desired configuration directly from the command line or from a configuration file https://github.com/SwiftOnSecurity/sysmon-config

      • Move the zip file to the C:\ drive and unzip the same.

      • Now a new folder gets created with the name Sysmon.

      • Download the configuration file for Sysmon - Download XML File.

      • Move the XML file within the folder C:\Sysmon.

      • Edit the XML file to include the Rules for Sysmon EventID 7, add the following lines as mentioned below:

      <!-- Event ID 7 == Image Loaded. Log everything except -->
      <ImageLoad onmatch="exclude">
         <Image condition="image">Sysmon.exe</Image>
         <Image condition="image">nxlog.exe</Image>
      </ImageLoad>

      Reference
      image 1-Dec-04-2023-10-29-52-7778-AM

      • Save the xml file.

      • Open ‘Command Prompt’ with administrator privileges.

      • Navigate to the folder C:\Sysmon.

      • Execute the following command,

        • If you have 64 bit Windows:
      $ Sysmon64.exe -accepteula -i -n -l -r 
      $ Sysmon64.exe -c sysmonconfig-export.xml
      • If you have 32bit Windows:
      $ Sysmon.exe -accepteula -i -n -l -r
      $ Sysmon.exe -c sysmonconfig-export.xml
      • To apply the changes, you have to restart the service:
      • Go to Control Panel > Services and locate the Sysmon64 service for 64bit Windows or locate Sysmon service for 32bit Windows accordingly.
      • Right click on Sysmon or Sysmon64 accordingly and click on restart.

      Download and Install Nxlog

      Download and install the latest version of NXLog on the Windows machine from which the logs need to be collected.
      After installation, locate the nxlog.conf file in the C:\Program Files (x86)\nxlog\conf folder.
      In 32 bit Windows machines, look in the C:\Program Files\nxlog\conf folder,

      image 2-Dec-04-2023-10-30-19-9336-AM

      • Open the nxlog.conf file using a text editor. Replace the entire configuration by copy-pasting the text given for your Windows version.

      Windows x32 bit OS

      #============ Define ROOT here ===================
      define ROOT C:\Program Files\nxlog
      #define ROOT C:\Program Files (x86)\nxlog
      #============ NXLog Machine Log info =============
      Moduledir %ROOT%\modules
      CacheDir %ROOT%\data
      Pidfile %ROOT%\data\nxlog.pid
      SpoolDir %ROOT%\data
      LogFile %ROOT%\data\nxlog.log

      #############For Sysmon and windows event logs###############

      <Extension _json>
      Module xm_json
      </Extension>

      <Input in>
      Module im_msvistalog
      Query <QueryList> \
      <Query Id="0"> \
      <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
      <Select Path="Application">*</Select> \
      <Select Path="System">*</Select> \
      <Select Path="Security">*</Select> \
      </Query> \
      </QueryList>
      </Input>

      <Output out>
      Module om_udp
      Host DNIF-Adapter-IP
      Port 514
      Exec to_json();
      </Output>

      <Route 1>
      Path in => out
      </Route>

      Windows x64 bit OS

      #============ Define ROOT here ===================
      #define ROOT C:\Program Files\nxlog
      define ROOT C:\Program Files (x86)\nxlog
      #============ NXLog Machine Log info =============
      Moduledir %ROOT%\modules
      CacheDir %ROOT%\data
      Pidfile %ROOT%\data\nxlog.pid
      SpoolDir %ROOT%\data
      LogFile %ROOT%\data\nxlog.log

      #############For Sysmon and windows event logs###############

      <Extension _json>
      Module xm_json
      </Extension>

      <Input in>
      Module im_msvistalog
      Query <QueryList> \
      <Query Id="0"> \
      <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
      <Select Path="Application">*</Select> \
      <Select Path="System">*</Select> \
      <Select Path="Security">*</Select> \
      </Query> \
      </QueryList>
      </Input>

      <Output out>
      Module om_udp
      Host DNIF-Adapter-IP
      Port 514
      Exec to_json();
      </Output>

      <Route 1>
      Path in => out
      </Route>
      • Restart NXLog
      • To apply changes made on nxlog.conf, you have to restart the service again. Go to Control Panel > Services and locate the nxlog service.
        Right click on nxlog and restart

        image 3-Dec-04-2023-10-30-37-7175-AM

      Microsoft Sysmon logs are now streamed to DNIF.