Author Kevin Kipp
A log-file is a file that records events that occur in an operating system or software. [1]
These can be anything – ranging from network connections, login events, and application crashes, to accessing a file, changing the system time, and inserting a USB stick.
- With all these possibilities, how can you tell which events are important or not?
Servers, Workstations, Firewalls, Switches, Applications, Databases, Windows, Linux and Unix are all different in where they log to, how the log message is structured, what format the log file is saved in, and which events are included in the log.
- This lack of standardization results in inefficient log parsing.
Since Windows is the primary operating system of most corporate environments, it’s crucial to understand how Windows Event Logs work, how they’re unique but limited, and how they can be improved with Sysmon.
Windows Event Logs – Overview
Windows events are typically divided into one of 3 categories, called channels:
- Application
- System
- Security
There are more channels, but these are the main 3 that are normally collected.
Application logs are used for logging information generated by applications installed on the system.
System logs are used for logging information about the Windows operating system itself.
Security logs are used for logging information relating to the security of the system.
Windows logs are also classified into Event ID’s, which specify the event type:
- Example: Event ID 1001 in the Application channel is for Windows Error Reporting.
- Example: Event ID 158 in the System channel is for disk errors.
- Example: Event ID 4624 in the Security channel is for successful login attempts.
Each event is classified further to describe the severity of the event: [2]
- “Information” describes when an operation is successful.
- “Warning” may indicate a future problem.
- “Error” indicates that there is a problem now.
- “Critical” indicates there is a major problem now.
Windows Event Logs – Unique but Limited
Windows is unique in how it logs events, for a few reasons:
- Logs are stored in a binary format with the extension “.evtx”.
This means that the logs are not stored in plaintext and require a specific application to read them.
Typically, this is done with the Windows Event Viewer, but could also be done with a 3rd party agent.
- Logs are XML formatted
This means that the logs are structured, and can be parsed easily vs other unstructured log formats such as Syslog.
Unfortunately, the default Windows Event logs lack the telemetry needed in a modern environment.
With advanced attack methods such as Process Injection and Process Hollowing, additional logging capabilities are needed to detect these more modern attacks.
Endpoint Detection and Response (EDR) products tend to generate the amount of telemetry needed to detect these attacks, but these products are generally expensive.
- How do we log telemetry without purchasing an EDR solution?
- How can we apply filters to only log important events?
- How can we organize the logs into a structured format that is easy to parse?
The answer to these questions is – Sysmon, a free tool from Microsoft.[3]
What is Sysmon?
“System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.” [4]
Sysmon provides granular logging capabilities that are just not possible by default.
There are 26 Event Types that Sysmon generates
From the table above, we can tell immediately that Sysmon brings powers to the Windows Event logs that weren’t possible before.
Sysmon logs its events to:
Application and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational
Benefits to using Sysmon are:
- Built-in filtering capabilities using Sysmon configuration files
- XML formatted log format, great for efficient parsing
- Built for Endpoints and Servers
- Free from Microsoft (although not officially supported)
- Flexible and allow customization via configuration files
How do I get started?
Here are some helpful resources:
TrustedSec has a Sysmon Community Guide with plenty of information: https://github.com/trustedsec/SysmonCommunityGuide
SwiftOnSecurity created a Sysmon configuration that can be used as a baseline to customize in your own environment: https://github.com/SwiftOnSecurity/sysmon-config
Olaf Hartong created a Sysmon configuration file called “sysmon-modular” which maps logged events to the MITRE ATT&CK framework: https://github.com/olafhartong/sysmon-modular
Dark Operator created a Visual Studio code extension to help with writing custom Sysmon configuration files: https://github.com/darkoperator/vscode-sysmon
Finally, this page from Microsoft has the official download link with installation instructions and detailed information regarding Sysmon capabilities, and command line usage: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
I hope this article helped give some insight into how Windows logging works, its limitations, and how it can be improved with Sysmon from Microsoft.
About the Author: Kevin Kipp is a Cyber Security Analyst II at Tokio Marine HCC. He currently holds multiple industry certifications, serves on the GIAC Advisory Board, volunteers for CSNP, and is a lifelong learner.