none
Sysmon 11.10 Not Logging All EventCode 3 Events RRS feed

  • Question

  • We recently upgraded a small test group from Sysmon 11.0 to Sysmon 11.10 to address the bugs discussed for 11.0. After upgrading,  we performed some basic testing to make sure the new features were working as expected. Some of the new features (specifically related to alternate data streams) seemed to work as expected. However, we noticed that Event Code 3 was no longer being logged (and files were not being copied-on-delete) as expected and determined by our configuration file.

    System Monitor v11.10 - System activity monitor

    Network connection missing

    OS:Microsoft Windows Server 2016 Datacenter 10.0.14393 暂缺 Build 14393

    Thursday, July 2, 2020 2:43 AM

All replies

  • also eventcode 15。。。
    • Edited by Aixic Thursday, July 2, 2020 6:07 AM
    Thursday, July 2, 2020 6:06 AM
  • So to confirm, you are not seeing any network connect (3) or file stream hashing (15) event?

    The copy on delete/ file delete logging problem is a known issue that Mark R. is currently working on but I wasn't aware of these other issues.

    Could you contact me offline at syssite@microsoft.com with a copy of your configuration file and I will look into it.

    MarkC(MSFT)

    Thursday, July 2, 2020 7:59 AM