Splunk® Supported Add-ons

Splunk Add-on for Sysmon for Linux

Sysmon product comparisons

The following sections describe the differences between versions 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon for Linux. Note that the most significant difference is that version 1.0.0 of the Splunk Add-on has source set as journald:sysmon and sourcetype as sysmon:linux. while versions 1.0.4 of the Add-on for Linux Sysmon has source set as Syslog:Linux-Sysmon/Operational and sourcetype as sysmon_linux. See the following table for information in field changes between versions 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon For Linux

Field mapping comparison for 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon For Linux

Source type EventCode Fields added Fields removed Fields modified 1.0.4 extractions 1.0.0 extractions
sysmon:linux 1 dvc

user_id

Level

RecordID
Task
EventRecordID
Version
Opcode
Channe
EventCode
EventChannel
EventData_Xml
process_hash
System_Props_Xml

 Guild

Name
ProcessID
UserId
Eventtype
Original_file_name
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"357197"
"0"
Linux-sysmon-process (process report)
-
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
357197
0
sysmon-linux-process (process report)
touch
Sysmon For Linux|

sysmon:linux
 3
 user_id
 Level

src_host
RecordID
Task
EventRecordID
Version
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
protocol
src
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"792"
"0"
linux-sysmon-network (communicate network)
ip
-
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
792
0
linux-sysmon-network (communicate network)
IP
127.0.0.1
Sysmon For Linux

sysmon:linux 4 dvc

user
process_id
user_id

 Level

RecordID
Task
EventRecordID
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Version
Eventtype
service
service_name
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"275293"
"0"
3
1.0.2
linux-sysmon-service (report service)
Sysmon
Sysmon
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
275293
0
1.0.2
sysmon-linux-service (report service)
Linux-Sysmonx
Linux-Sysmon
Sysmon For Linux

sysmon:linux 5 dvc

user_id

 Level

RecordID
Task
EventRecordID
Version
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
vendor_produ
ct

"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"357197"
"0"
linux-sysmon-process (process report)
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
357197
0
sysmon-linux-process (process report)
Sysmon For Linux

sysmon:linux 9 dvc

user_id

 Level

RecordID
Task
EventRecordID
Version
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"357197"
"0"
linux-sysmon-process (process report)
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
357197
0
sysmon-linux-process (process report)
Sysmon For Linux

sysmon:linux 11 dvc

user_id
tag::object_category

 Level

RecordID
Task
EventRecordID
Version
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
object_category
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"357197"
"0"
linux-sysmon-filemod (endpoint filesystem)
file
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
357197
0
sysmon-linux-filemod (endpoint filesystem)
file (filesystem)
Sysmon For Linux

sysmon:linux 16 file_path

dvc
user
user_id

 Level

RecordID
Task
EventRecordID
Version
Opcode
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
process_id
service
service_name
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"275293"
"0"
linux-sysmon-service (report service)
"275293"
Sysmon
Sysmon
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
275293
0
sysmon-linux-service (report service)
"275293"
Linux-Sysmon
Linux-Sysmon
Sysmon For Linux

sysmon:linux 23 dvc

user_id
tag::object_category

 Level

RecordID
Task
EventRecordID
Version
Opcode
file_hash
EventCode
Channel
EventChannel
EventData_Xml
System_Props_Xml

 Guid

Name
ProcessID
UserId
Eventtype
object_category
vendor_product

 "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"

"Linux-Sysmon"
"357197"
"0"
linux-sysmon-filemod (endpoint filesystem)
file
Linux Sysmon

 {ff032593-a8d3-4f13-b0d6-01fc615a0f97}

Linux-Sysmon
357197
0
sysmon-linux-filemod (endpoint filesystem)
file (filesystem)
Sysmon For Linux

Assumptions:

  • Splunk Enterprise version: 9.0.1
  • Sysmon For Linux version: 1.0.2
  • Add-on for Linux Sysmon version: 1.0.4
  • Splunk Add-on for Sysmon For Linux version: 1.0.0
  • Input: Journald and File Monitoring


Initial environment configuration is a Splunk instance with the Splunk Add-on for Sysmon for Linux installed.

Last modified on 12 December, 2022
Troubleshoot the Splunk Add-on for Sysmon For Linux   Source types for the Splunk Add-on for Sysmon for Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters