This article provides information on how to configure Sysmon on WinCollect and create a log source for collecting events.
- Disk usage is significantly reduced.
- It has a lighter footprint.
- Has High Availability support as a default.
- In addition to monitoring DNS queries, Sysmon also monitors process creation, file creation, and registry modifications.
- Granular filtering of events through a configuration file.
Enable DNS query logging
- Download Sysmon from the official Microsoft® website for Sysmon.
- A command prompt with administrative rights is required to install Sysmon.
- Once, the prompt is open, change the directory to where the Sysmon package is located.
- Use the Sysmon -i command to install the package.
- You can now see Sysmon logs under Applications and Services Log > Microsoft > Windows > Sysmon Operational.
- DNS queries are not enabled by default. You have to enable them with a configuration file.
Create a text file with Notepad with the following XML snippet, and save it in text-format with the name config-dnsquery.xml.Note: The DNS query log can generate a high volume of events, for example from Internet browsing and application use, and your configuration might need more exclusion filtering.
IBM does not endorse the default values in this sample configuration. Users must confirm the appropriate values with their security-, network-, or system administrator.
<Sysmon schemaversion="4.21"> <EventFiltering> <DnsQuery onmatch="exclude" /> </EventFiltering> </Sysmon>
- Use the following command on the command prompt to start logging of dns queries.
Sysmon.exe -c config-dnsquery.xml
- The DNS events are visible in the following path Applications and Services Log > Microsoft > Windows > Sysmon Operational. A DNS query event has Event ID 22.
Create a log source in QRadar to collect Sysmon events
- Open the Log Source Management Application.
- Create a log source.
- Select Log Source type, Microsoft Windows Security Event Log.
- Select Protocol type, WinCollect.
- Complete all required details such as Name, Destination, and Log Source Identifier.
- In Step 3 in the log source creation wizard, insert the XPath Query in the log source configuration.
<QueryList> <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational"> <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> </Query> </QueryList>
- Save the log source and deploy changes.
Was this topic helpful?
10 October 2022