Based upon the new logging enhancements to the IDR platform, I am confused as to whether or not these logs are now automatically being collected. The notification to customers states that all System/Security/Application logs on Windows Endpoints are now collected. If that is the case, where can I find my sysmon logs?
Otherwise, my question is, HOW can I have these logs sent to my collector/IDR cloud for parsing and log search?
Hello @john_keese,
So, with the agent enhancements you can monitor the System, Security and Application categories of windows events, however the Sysmon logs fall into the Operational category.
The agent today is hardcoded with those 3 categories only, but we are actively looking for improvements that will allow more flexibility.
As far as a workaround goes, you could leverage NXLog, with is a 3rd party agent capable or selecting a category and even event types from Windows, and it then sends them through syslog. This method would require you to set up a Custom Syslog event source, and the parsing would need to be done using the custom parser.
Hopefully we can bring more updates to out agent soon, but in the meantime I hope this information helps you.
Regards,
Felipe
This is somewhat misleading.
Particularly the phrase “all system/security/application event logs are now collected”. I had a case opened with support on this exact subject last week. I can open event viewer on my windows host , search the security event log section and find multiple event IDs that are not imported to IDR natively. Support just gave me a link to a list of event IDs NOT collected and closed the case.
What event IDs are collected, specifically from these windows categories?
Windows event logs are collected from the following channels:
All entries in these channels are collected, and it is not customizable at this time.
https://docs.rapid7.com/insightidr/configure-the-insight-agent-to-send-logs/
From my understanding, this was pushed as an “all or nothing” where all means Application,System and Security, and nothing else (like Sysmon).
Any developments here?
Sysmon functionality has been one of my high priority requests too, would be a great feature to enable on selected high risk clients. Rapid 7, don’t drop the ball - start implementing!
@matthew_ciantar @jason_williams “don’t drop the ball” <-- this one cut deep! Joking aside, we did hear you and have begun the work to start leveraging Sysmon to replace some of our existing telemetry collection. So while this does not yet deliver what you’re asking for here, it is the foundational first step for us.
I’m also working to define the “next steps” in parallel… so if either of your are willing, I’d love to hop a quick call to make sure I understand your specific use cases.
We want to collect highly verbose and contextual logs that provide us (InsightIDR customers/analysts/Security Professionals) with critically necessary information to efficiently investigate alerts. If we have to explain to Rapid7 why collection of Sysmon logs require justification and specific use cases, then the ball has most definitely been dropped as @jason_williams mentions, jokingly or not.
@john_keese apologies for the delay on this post - I meant to tag you in my earlier reply. As a product manager, it’s always helpful for me to talk to customers… so even in situations like this when the request is relatively straight forward (as you rightly point out), I still walk away with additional insight which ultimately helps address the inevitable nuances of new functionality.
I also acknowledge that security professionals have zero free time - so it’s admittedly a big ask.
Native syslog integration would be a huge value add, I am also waiting for this.
@dan_martin - @matthew_ciantar reports to me in our organisation, any time you wish to obtain direct technical feedback from a customer going forward, you have my full support to contact him.
@harley_aw I caught up with your Customer Success Manager today and next week he’s going to be setting up a meeting - we’ll make sure @matthew_ciantar is included for sure!
No worries. Totally understandable. I’ve reached out to my CSM as well to schedule a call to discuss Sysmon logging in the InsightIDR platform as well.
I just sent a note to your CSM - we’ll coordinate and make sure I’m able to join the call!
has there been any movemnet here? or is their a guide on collecting sysmon logs?
@galen_gough the workaround that Felipe noted above would still be the approach for gathering additional Sysmon logs today: NXLog | InsightIDR Documentation
We are working to close this gap, but unfortunately we’re just not there yet. Some of the folks in this thread took me up on my offer to setup a Roadmap call to discuss this in more depth - and I found each of those conversations extremely helpful. So I will offer the same thing to you… let me know if you have any interest!
Does InsightOPS ingest Sysmon logs or would we still need to have NXLog running?
Can we upvote this any more? This would be so helpful and close a big gap in currently endpoint logging with IDR.
@ben_cuthbert I have captured your upvote!
The answer may be “no, I need full customization” but I wanted to ask: are there certain Sysmon events you would put at the top of your list? We are currently working with our detection engineering team to identify the next set of Sysmon-sourced data we want to ingest. The intent here is to provide broader detection coverage for customers per the MITRE ATT&CK framework.