linux安装使用SysmonForLinux

下载deb包：

https://github.com/Sysinternals/SysinternalsEBPF/releases

https://github.com/Sysinternals/SysmonForLinux/releases/tag/1.2.0.0

安装：

   10  sudo dpkg -i sysinternalsebpf_1.2.0-0_amd64.deb
   11  sudo dpkg -i sysmonforlinux_1.2.0-0_amd64.deb
   12  sudo sysmon -i

　　

查看日志：

sudo journalctl -f 
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.234550000Z"/><EventRecordID>5127</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.240</Data><Data Name="ProcessGuid">{adae0cb1-3c9e-64be-1d46-26cbb2550000}</Data><Data Name="ProcessId">9563</Data><Data Name="Image">/usr/bin/ip</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">ip a s </Data><Data Name="CurrentDirectory">/home/kali</Data><Data Name="User">kali</Data><Data Name="LogonGuid">{adae0cb1-0000-0000-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">2</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">9562</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.234758000Z"/><EventRecordID>5128</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.240</Data><Data Name="ProcessGuid">{adae0cb1-3c9e-64be-59c3-c52c33560000}</Data><Data Name="ProcessId">9564</Data><Data Name="Image">/usr/bin/grep</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">grep -o -P (?<=inet )[0-9]{1,3}(\.[0-9]{1,3}){3}</Data><Data Name="CurrentDirectory">/home/kali</Data><Data Name="User">kali</Data><Data Name="LogonGuid">{adae0cb1-0000-0000-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">2</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">9562</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.235759000Z"/><EventRecordID>5129</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.241</Data><Data Name="ProcessGuid">{adae0cb1-3c9e-64be-1d46-26cbb2550000}</Data><Data Name="ProcessId">9563</Data><Data Name="Image">/usr/bin/ip</Data><Data Name="User">kali</Data></EventData></Event>
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.236145000Z"/><EventRecordID>5130</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.242</Data><Data Name="ProcessGuid">{adae0cb1-3c9e-64be-59c3-c52c33560000}</Data><Data Name="ProcessId">9564</Data><Data Name="Image">/usr/bin/grep</Data><Data Name="User">kali</Data></EventData></Event>
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.236236000Z"/><EventRecordID>5131</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.242</Data><Data Name="ProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ProcessId">9562</Data><Data Name="Image"><unknown process></Data><Data Name="User">kali</Data></EventData></Event>
Jul 24 04:55:58 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:58.236456000Z"/><EventRecordID>5132</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:58.242</Data><Data Name="ProcessGuid">{adae0cb1-3c9e-64be-b91b-bf8270550000}</Data><Data Name="ProcessId">9557</Data><Data Name="Image">/usr/bin/dash</Data><Data Name="User">kali</Data></EventData></Event>
Jul 24 04:55:59 kali sysmon[6504]: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2023-07-24T08:55:59.163318000Z"/><EventRecordID>5133</EventRecordID><Correlation/><Execution ProcessID="6504" ThreadID="6504"/><Channel>Linux-Sysmon/Operational</Channel><Computer>kali</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2023-07-24 08:55:59.168</Data><Data Name="ProcessGuid">{adae0cb1-3c9f-64be-9132-26787b550000}</Data><Data Name="ProcessId">9565</Data><Data Name="Image">/usr/bin/sudo</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">sudo journalctl -f</Data><Data Name="CurrentDirectory">/home/kali/Desktop</Data><Data Name="User">kali</Data><Data Name="LogonGuid">{adae0cb1-0000-0000-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">2</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{00000000-0000-0000-0000-000000000000}</Data><Data Name="ParentProcessId">1586</Data><Data Name="ParentImage">-</Data><Data Name="ParentCommandLine">-</Data><Data Name="ParentUser">-</Data></EventData></Event>
Jul 24 04:55:59 kali sudo[9565]:     kali : TTY=pts/0 ; PWD=/home/kali/Desktop ; USER=root ; COMMAND=/usr/bin/journalctl -f

　　

└─$ sudo journalctl -f | sudo /opt/sysmon/sysmonLogView
Event SYSMONEVENT_PROCESS_TERMINATE
        RuleName: -
        UtcTime: 2023-07-24 08:56:38.438
        ProcessGuid: {adae0cb1-3cc6-64be-0000-000000000000}
        ProcessId: 9892
        Image: -
        User: kali
Event SYSMONEVENT_PROCESS_TERMINATE
        RuleName: -
        UtcTime: 2023-07-24 08:56:38.438
        ProcessGuid: {adae0cb1-3cc6-64be-b9eb-bfc606560000}
        ProcessId: 9887
        Image: /usr/bin/dash
        User: kali
Event SYSMONEVENT_CREATE_PROCESS
        RuleName: -
        UtcTime: 2023-07-24 08:56:38.981
        ProcessGuid: {adae0cb1-3cc6-64be-91c2-e74030560000}
        ProcessId: 9895
        Image: /usr/bin/sudo
        FileVersion: -
        Description: -
        Product: -
        Company: -
        OriginalFileName: -
        CommandLine: sudo journalctl -f
        CurrentDirectory: /home/kali/Desktop
        User: kali
        LogonGuid: {adae0cb1-0000-0000-e803-000000000000}
        LogonId: 1000
        TerminalSessionId: 2
        IntegrityLevel: no level
        Hashes: -
        ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
        ParentProcessId: 1586
        ParentImage: -
        ParentCommandLine: -
        ParentUser: -
Event SYSMONEVENT_CREATE_PROCESS
        RuleName: -
        UtcTime: 2023-07-24 08:56:38.982
        ProcessGuid: {adae0cb1-3cc6-64be-91c2-f2c5c1550000}
        ProcessId: 9896
        Image: /usr/bin/sudo
        FileVersion: -
        Description: -
        Product: -
        Company: -
        OriginalFileName: -
        CommandLine: sudo /opt/sysmon/sysmonLogView
        CurrentDirectory: /home/kali/Desktop
        User: kali
        LogonGuid: {adae0cb1-0000-0000-e803-000000000000}
        LogonId: 1000
        TerminalSessionId: 2
        IntegrityLevel: no level
        Hashes: -
        ParentProcessGuid: {00000000-0000-0000-0000-000000000000}
        ParentProcessId: 1586
        ParentImage: -
        ParentCommandLine: -
        ParentUser: -

　　

数据采集和windows sysmon类似。