Sysmon Log Collection

Based upon the new logging enhancements to the IDR platform, I am confused as to whether or not these logs are now automatically being collected. The notification to customers states that all System/Security/Application logs on Windows Endpoints are now collected. If that is the case, where can I find my sysmon logs?

Otherwise, my question is, HOW can I have these logs sent to my collector/IDR cloud for parsing and log search?

Hello @john_keese,

So, with the agent enhancements you can monitor the System, Security and Application categories of windows events, however the Sysmon logs fall into the Operational category.
The agent today is hardcoded with those 3 categories only, but we are actively looking for improvements that will allow more flexibility.

As far as a workaround goes, you could leverage NXLog, with is a 3rd party agent capable or selecting a category and even event types from Windows, and it then sends them through syslog. This method would require you to set up a Custom Syslog event source, and the parsing would need to be done using the custom parser.

Hopefully we can bring more updates to out agent soon, but in the meantime I hope this information helps you.

Regards,
Felipe

This is somewhat misleading.
Particularly the phrase “all system/security/application event logs are now collected”. I had a case opened with support on this exact subject last week. I can open event viewer on my windows host , search the security event log section and find multiple event IDs that are not imported to IDR natively. Support just gave me a link to a list of event IDs NOT collected and closed the case.

What event IDs are collected, specifically from these windows categories?

NOTE - Windows event log collection channels

Windows event logs are collected from the following channels:

  • Application
  • System
  • Security

All entries in these channels are collected, and it is not customizable at this time.

https://docs.rapid7.com/insightidr/configure-the-insight-agent-to-send-logs/