Hi,
I have XML rendered log from sysmon and i need to extract from this log only interesting fields, for example:
Image|UtcTime|ProcessGuid|CommandLine|User|ParentProcessGuid|ParentImage|ParentCommandLine|Hashes
But my conf doesn't work.
What i did wrong and how to fix that?
**here is the sample xml**
-
- 1 5 4 1 0 0x8000000000000000 1098206 Microsoft-Windows-Sysmon/Operational HOSTNAME 2017-03-13 12:16:18.203{EF92ED9B-8D92-58C6-0000-0010B2A27B04}2832C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c type "C:\ProgramData\****.txt"c:\program files\*****\NT AUTHORITY\SYSTEM{****************************}0x3e70SystemSHA1=0F3C4FF28F354AEDE2,MD5=5746BD7E255DD61,SHA256=DB06C3534964E3FC79D0CA336F4A0FE724B75AAFF386,IMPHASH=D00585440EB0A{**************************}1564C:\Program Files\****.exe"C:\Program Files\******" 1452
+ ************************************************************** Information Process Create (rule: ProcessCreate) Info
**And this is my conf:**
inputs.conf
[WinEventLog://ForwardedEvents]
disabled = false
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
suppress_text = 1
index = sysmon
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
whitelist1 = 1,5,6
props.conf
[source::WinEventLog://ForwardedEvents]
TRANSFORMS-setnull = sysmon-setnull
TRANSFORMS-keep = sysmon-keep
transforms.conf
[sysmon-setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[sysmon-keep]
REGEX = (?i)Name=".*(Image|UtcTime|ProcessGuid|CommandLine|User|ParentProcessGuid|ParentImage|ParentCommandLine|Hashes)"
DEST_KEY = queue
FORMAT = indexQueue
↧