Sysmon product comparisons

The following sections describe the differences between versions 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon for Linux. Note that the most significant difference is that version 1.0.0 of the Splunk Add-on has source set as journald:sysmon and sourcetype as sysmon:linux. while versions 1.0.4 of the Add-on for Linux Sysmon has source set as Syslog:Linux-Sysmon/Operational and sourcetype as sysmon_linux. See the following table for information in field changes between versions 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon For Linux

Field mapping comparison for 1.0.4 of the Add-on for Linux Sysmon and 1.0.0 of the Splunk Add-on for Sysmon For Linux

Source type	EventCode	Fields added	Fields removed	Fields modified	1.0.4 extractions	1.0.0 extractions
sysmon:linux	1	dvc user_id	Level RecordID Task EventRecordID Version Opcode Channe EventCode EventChannel EventData_Xml process_hash System_Props_Xml	Guild Name ProcessID UserId Eventtype Original_file_name vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "357197" "0" Linux-sysmon-process (process report) - Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 357197 0 sysmon-linux-process (process report) touch Sysmon For Linux\|
sysmon:linux	3	user_id	Level src_host RecordID Task EventRecordID Version Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype protocol src vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "792" "0" linux-sysmon-network (communicate network) ip - Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 792 0 linux-sysmon-network (communicate network) IP 127.0.0.1 Sysmon For Linux
sysmon:linux	4	dvc user process_id user_id	Level RecordID Task EventRecordID Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Version Eventtype service service_name vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "275293" "0" 3 1.0.2 linux-sysmon-service (report service) Sysmon Sysmon Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 275293 0 1.0.2 sysmon-linux-service (report service) Linux-Sysmonx Linux-Sysmon Sysmon For Linux
sysmon:linux	5	dvc user_id	Level RecordID Task EventRecordID Version Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype vendor_produ ct	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "357197" "0" linux-sysmon-process (process report) Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 357197 0 sysmon-linux-process (process report) Sysmon For Linux
sysmon:linux	9	dvc user_id	Level RecordID Task EventRecordID Version Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "357197" "0" linux-sysmon-process (process report) Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 357197 0 sysmon-linux-process (process report) Sysmon For Linux
sysmon:linux	11	dvc user_id tag::object_category	Level RecordID Task EventRecordID Version Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype object_category vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "357197" "0" linux-sysmon-filemod (endpoint filesystem) file Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 357197 0 sysmon-linux-filemod (endpoint filesystem) file (filesystem) Sysmon For Linux
sysmon:linux	16	file_path dvc user user_id	Level RecordID Task EventRecordID Version Opcode EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype process_id service service_name vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "275293" "0" linux-sysmon-service (report service) "275293" Sysmon Sysmon Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 275293 0 sysmon-linux-service (report service) "275293" Linux-Sysmon Linux-Sysmon Sysmon For Linux
sysmon:linux	23	dvc user_id tag::object_category	Level RecordID Task EventRecordID Version Opcode file_hash EventCode Channel EventChannel EventData_Xml System_Props_Xml	Guid Name ProcessID UserId Eventtype object_category vendor_product	"{ff032593-a8d3-4f13-b0d6-01fc615a0f97}" "Linux-Sysmon" "357197" "0" linux-sysmon-filemod (endpoint filesystem) file Linux Sysmon	{ff032593-a8d3-4f13-b0d6-01fc615a0f97} Linux-Sysmon 357197 0 sysmon-linux-filemod (endpoint filesystem) file (filesystem) Sysmon For Linux

Assumptions:

Splunk Enterprise version: 9.0.1
Sysmon For Linux version: 1.0.2
Add-on for Linux Sysmon version: 1.0.4
Splunk Add-on for Sysmon For Linux version: 1.0.0
Input: Journald and File Monitoring

Initial environment configuration is a Splunk instance with the Splunk Add-on for Sysmon for Linux installed.

Splunk Add-on for Sysmon for Linux

Related Answers

Sysmon product comparisons

Comments