Sysmon & Security Onion, Part 5: Sysmon Event Collection

This is part five of a series of posts that contain key excerpts of my paper, Using Sysmon to Enrich Security Onion’s Host-Level Capabilities.

Two different methods could be employed to collect the Sysmon events from the local client. Possible approaches use only OSSEC or a hybrid architecture where OSSEC and Windows Event Collection are utilized together.


    One way to collect the Sysmon events from all installed clients would be to use the Host Intrusion Detection System (HIDS) that Security Onion includes, which is OSSEC. This architecture would include installing OSSEC on all servers and workstations, and configuring it through the option to send Sysmon logs to Security Onion. (Windows Eventchannel Example) If this were the only function that OSSEC would be used for, most organizations would be reticent to deploy another client to their workstations and servers, especially when there are other, more efficient options to collect the Sysmon data.


    The architecture that the author has used and recommends is that of a hybrid model. This would include installing OSSEC only on servers, as there are typically other types of logs that need collection as well. For workstations, the use of the Windows Event Collector framework is recommended to collect all of the Sysmon logs onto a central Windows system. (Helweg) With the logs all in one location, an OSSEC client can be installed on the collection server, which would process all of the logs and ship them off to the Security Onion sensor. For offsite users, events can still be collected by making the collector server publically available. Refer to the following diagram for what this particular architecture would look like:

Hybrid Collection
Diagram of hybrid collection model


     Now that the logs have been collected and shipped to the Security Onion sensor, they must be processed by both OSSEC and ELSA before the data can be used by either of those tools. Because Sysmon is relatively new, the author of this paper was required to write his own parsers for both ELSA and OSSEC to be able to pull out the relevant data contained in Sysmon events.


Windows Eventchannel Example. (n.d.). Retrieved February 22, 2015, from OSSEC Docs:

Helweg, O. (2008, July 8). Quick and Dirty Enterprise Eventing for Windows. Retrieved from TechNet:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close