none
Sysmon XML configuration help RRS feed

  • Question

  • We have a computer that is at least once a day going to a website that our security systems have deemed malicious.  We have ran two different AV utilities to scan for the possible software but both came back clean.  I want to configure Sysmon to log any information when the computer goes the URL.   I have created the following xml file however I keep getting error for line 3 column 25 when trying to install.  The o in onmatch is in the that specified spot.

    <Sysmon schemaversion="4.21">
    	<EventFiltering>
    		<NetworkConnect onmatch="include">
    			<DestinationHostname "contains">yahoo.com</<DestinationHostname>
    		</NetworkConnect>	
    	</EventFiltering>
    </Sysmon>

    Any suggestions on what could be the issue?

    Monday, July 1, 2019 2:36 PM

All replies

  • did you try this other way?

    <Sysmon schemaversion="4.21">
    <EventFiltering>
    <NetworkConnect onmatch="include">
    <DestinationHostname condition="end with">yahoo.com</DestinationHostname>
    </NetworkConnect>
    </EventFiltering>
    </Sysmon>

    HTH
    -mario



    Monday, July 1, 2019 2:55 PM
  • That allowed the configuration to install, now I have a different issue.  When I look at the log I get an error "Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The operation completed successfully. (5)"  I am using the latest version from the website.

    I uninstalled and re-installed without the configuration folder, an received the same error.

    Edit: Nevermind, I was not opening event viewer with admin rights.


    • Edited by Evers_mark Monday, July 1, 2019 3:36 PM
    Monday, July 1, 2019 3:35 PM