Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Linux input for process monitoring (similar to Windows Sysmon)

ejwade
Contributor
‎08-30-2019 09:36 AM

We're looking for a tool that does the same thing as Windows Sysmon (Sysinternals), but for Linux. The problem with ps and other process monitoring inputs in the Linux TA is the interval. If a process launches and closely quickly, an interval capture will missed it. We need something that will write a log whenever a process is created, preferably with the command launching the process.

Any input is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

larchinal75
Explorer
‎11-15-2019 09:42 AM

Good afternoon,

I did some brief research and testing with Linux systems for the same reasons; We were looking for command-line capture and process execution within our Linux environment. The best we came up with is Auditd. This provided close to the same results as Sysmon (i.e. if someone ran a command in command-line). The way it operates though is different to Sysmon where when you configured Sysmon and installed it, it began logging right away. With Auditd we had to create "rules" to look for activity.

I hope this answers your question.

Have a wonderful day!

View solution in original post

Reply
Solved! Jump to solution
Solution

larchinal75
Explorer
‎11-15-2019 09:42 AM

Good afternoon,

I did some brief research and testing with Linux systems for the same reasons; We were looking for command-line capture and process execution within our Linux environment. The best we came up with is Auditd. This provided close to the same results as Sysmon (i.e. if someone ran a command in command-line). The way it operates though is different to Sysmon where when you configured Sysmon and installed it, it began logging right away. With Auditd we had to create "rules" to look for activity.

I hope this answers your question.

Have a wonderful day!

Reply
Solved! Jump to solution

larchinal75
Explorer
‎11-15-2019 09:51 AM

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-def...

https://www.linux.com/tutorials/customized-file-monitoring-auditd/

Here are some references that I have come across regarding auditd and creating the rules.

Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-02-2019 01:12 AM

You can achieve this using Linux auditd, please check with your Linux system administrator to configure auditd on Linux server and then monitor auditd.log file in Splunk.

Reply
Solved! Jump to solution

ejwade
Contributor
‎09-03-2019 09:44 AM

@harsmarvania57 That's good advice. We've been exploring auditd; specifically EXEVCE system calls. Thanks for the suggestion!

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...