Not log DnsQuery EventID 22

[PoundXI]

OS: Ubuntu 20.04
Installation instruction: https://github.com/Sysinternals/SysmonForLinux/blob/main/INSTALL.md#ubuntu-1804-2004--2104

sysmon config:

<Sysmon schemaversion="4.21">
  <EventFiltering>
    <DnsQuery onmatch="exclude">
    </DnsQuery>
  </EventFiltering>
</Sysmon>

command for making dns query:
ping www.google.com

checking event id:
sudo cat /var/log/syslog | grep -oP "EventID>\d+<" | sort -u

result:

EventID>1<
EventID>16<
EventID>4<
EventID>5<

[lightoyou]

It seems that kernel 4.19.208-1 (debian 10) and 5.10.0-6 (debian 11) are not supported at the moment

[lightoyou]

SYSMONEVENT_RAWACCESS_READ seems not working too :(

[SirStephanikus]

Yep...even on a Ubuntu 20.04 Server LTS system...it does not log anything.
Considering all the other bugs (broken in RHEL systems), wrong man page (they use Windows stuff on a Linux system)...SysmonForLinux seems to be in alpha stadium ...and I don't get it why the Sysinternals team has all those "features" in it that don't work at all.

[MarioHewardt]

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

[PoundXI]

@PoundXI Try without specifying the config file. Does sysmon generate any events in that scenario?

Just process create & terminate events

[MarioHewardt]

Thanks for checking. I've tagged this as a bug for now and added to backlog.

[juju4]

Observing same issue with sysmon 1.2.0 with some variations on debian 11.7 and ubuntu 22.04.
Any way to troubleshoot?

expecting more in both case (RawAccessRead for both and file/network/service for first one):

debian11# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep Event | sort | uniq -c | sort -nr
    630 Event SYSMONEVENT_PROCESS_TERMINATE
    370 Event SYSMONEVENT_CREATE_PROCESS
ubuntu22# journalctl -xeu sysmon -l --no-pager | /opt/sysmon/sysmonLogView |grep 'Event' | sort | uniq -c | sort -nr
     95 Event SYSMONEVENT_PROCESS_TERMINATE
     67 Event SYSMONEVENT_CREATE_PROCESS
      7 Event SYSMONEVENT_NETWORK_CONNECT
      5 Event SYSMONEVENT_FILE_DELETE
      5 Event SYSMONEVENT_FILE_CREATE
      1 Event SYSMONEVENT_SERVICE_STATE_CHANGE
      1 Event SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE

Config based on
https://github.com/microsoft/MSTIC-Sysmon/tree/main/linux/configs
https://github.com/juju4/ansible-sysmon/blob/main/templates/config.xml.j2

Not seeing any DNS catch in
https://github.com/Sysinternals/SysmonForLinux/blob/main/sysmonforlinux.c#L848
but have SYSMONEVENT_NETWORK_CONNECT_EVENT_value and SYSMONEVENT_RAWACCESS_READ_EVENT_value

[MarioHewardt]

Thanks for reporting this. I've been a bit back logged but hopefully I can look into this in the next couple of weeks.

[0xab3d]

Any updates on this?

[MarioHewardt]

Hi @0xab3d - Thanks for checking in. We haven't implemented this yet as we're currently busy with other infrastructure work. I will keep everyone updated once we get to this.