SYSMON Operational Log not forwarding


SYSMON Operational Log not forwarding

b

I have already had WEC and WEF set up for security logs.  Now I am trying to set up Sysmon.  I have installed Sysmon and have logs feeding into the Operational log of Sysmon.  However, when I set up a subscription to forward the logs to the WEC (the same WEC for security logs), the destination log on the collector does not receive the logs.  I utilized the forwarded events log to collect all the logs.  Does anyone else have this issue where there are Sysmon logs locally but not getting forwarded to the destination?
bjvista

bobbychan - 4/12/2018
I have already had WEC and WEF set up for security logs.  Now I am trying to set up Sysmon.  I have installed Sysmon and have logs feeding into the Operational log of Sysmon.  However, when I set up a subscription to forward the logs to the WEC (the same WEC for security logs), the destination log on the collector does not receive the logs.  I utilized the forwarded events log to collect all the logs.  Does anyone else have this issue where there are Sysmon logs locally but not getting forwarded to the destination?

In your subscription, what events are you collecting?  Have you created the subscription manually or using our Supercharger product?
b

bjvista - 4/15/2018
bobbychan - 4/12/2018
I have already had WEC and WEF set up for security logs.  Now I am trying to set up Sysmon.  I have installed Sysmon and have logs feeding into the Operational log of Sysmon.  However, when I set up a subscription to forward the logs to the WEC (the same WEC for security logs), the destination log on the collector does not receive the logs.  I utilized the forwarded events log to collect all the logs.  Does anyone else have this issue where there are Sysmon logs locally but not getting forwarded to the destination?

In your subscription, what events are you collecting?  Have you created the subscription manually or using our Supercharger product?

The solution was discovered from another post on the forum titled "Sysmon Logs WEF - Supported?".  It had to do with permissions for the Sysmon Operational.  Once I changed the permission of Microsoft-Windows-Sysmon/Operational to O:BAG:SYD: (A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20), the log started forwarding.  The original permission is O:BAG:SYD: (A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573) as this is on another machine I am trying to implement, but this machine is not currently sending Sysmon logs.  Now the questions that remain are, "How do we perform this action at scale?  What group policy must be utilized to implement?  (I would rather not use a script to push out.)"
bjvista

bobbychan - 4/16/2018
bjvista - 4/15/2018
bobbychan - 4/12/2018
I have already had WEC and WEF set up for security logs.  Now I am trying to set up Sysmon.  I have installed Sysmon and have logs feeding into the Operational log of Sysmon.  However, when I set up a subscription to forward the logs to the WEC (the same WEC for security logs), the destination log on the collector does not receive the logs.  I utilized the forwarded events log to collect all the logs.  Does anyone else have this issue where there are Sysmon logs locally but not getting forwarded to the destination?

In your subscription, what events are you collecting?  Have you created the subscription manually or using our Supercharger product?

The solution was discovered from another post on the forum titled "Sysmon Logs WEF - Supported?".  It had to do with permissions for the Sysmon Operational.  Once I changed the permission of Microsoft-Windows-Sysmon/Operational to O:BAG:SYD: (A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20), the log started forwarding.  The original permission is O:BAG:SYD: (A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573) as this is on another machine I am trying to implement, but this machine is not currently sending Sysmon logs.  Now the questions that remain are, "How do we perform this action at scale?  What group policy must be utilized to implement?  (I would rather not use a script to push out.)"

Bobby,
Check this KB article:  https://support.logbinder.com/SuperchargerKB/50120/4-Granting-Permissions-for-Security-Log-Forwarding
The article talks about the security log but there is a link there to a blog post at Microsoft with some reg keys for logs in general.  I think that might help you.

I haven't tested this but it may also give you the results you are looking for.  I would try this first.
In your GPO under Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups add a group.  Select Event Log Readers.  Then open that group and add "NT AUTHORITY\NETWORK SERVICE" there.
GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search