Sysmon/Sysmon64 not visible in metricbeats for sysmon version 15

Elastic Stack Beats
1

Hi there,

We are using the system module and metricsets process. I can see all the other CPU/memory metrics except the Sysmon.

Sysmon is completely missing in the output.

Here is my system.yml


- module: system
  period: 10s
  metricsets:
    - process
  processes: ["WmiPrvSE.exe" , "metricbeat.exe", "(i?)sysmon.*", "Sysmon.exe" , "Sysmon64.exe*"]
2

@shani_angarkadu

I am seeing the same behavior at the moment, I do not have an answer at this moment...

Of course you can install winlogbbeat to monitor events

3

Actually, we deployed agents to monitor system metrics and the winlog beat to get the sysmon events.

We want to know how much CPU is consumed by sysmon CPU process , so we can adjust the sysmon config.

4

Understood.

I do not have an answer as to why Sysmon does not show up. I do not see it either on my test. I asked internally, we will see if we get an answer.

5

@shani_angarkadu

Here is you answer ... I was about to guess that

Internal Question:

Internal : Hi Metrics / Windows peeps what am I missing can metricbeat -> system > processes not detect sysmon process. I have metricbeat set to collect all processess ... I see them Alll ... but I don't see Sysmon ... it is running... It is a special processs of something that can not be detected?

Answer

yes, it's (sysmon) is a protected process now (as of version 15) so it can not be monitored with normal methods. Perhaps osquery might be able to help, using the services table

1 Like
6

Hello,

This is unfortunately a known issue for some time. Please check and +1 Metricbeat fails to get information for some processes under Windows · Issue #17314 · elastic/beats · GitHub

Seems like very basic monitoring feature to be able to get CPU from important processes such as lsass, but also Sysmon, Defender, Elastic Agent etc.....

Best regards,

Willem

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.