{"id":11068,"date":"2022-04-01T13:45:33","date_gmt":"2022-04-01T04:45:33","guid":{"rendered":"https:\/\/www.secuavail.com\/kb\/?p=11068"},"modified":"2024-04-02T15:52:01","modified_gmt":"2024-04-02T06:52:01","slug":"sysmonforlinux-ubuntu-almalinux","status":"publish","type":"post","link":"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/","title":{"rendered":"SysmonForLinux\u3092Ubuntu\u3068AlmaLinux\u306b\u5165\u308c\u3066\u30ed\u30b0\u53d6\u3063\u3066\u307f\u305f"},"content":{"rendered":"<p>\u4eca\u56de\u306fSysmon\uff08\u30d7\u30ed\u30bb\u30b9\u4f5c\u6210\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u4f5c\u6210\u3001\u30d5\u30a1\u30a4\u30eb\u64cd\u4f5c\u7b49\u306eWindows\u30a4\u30d9\u30f3\u30c8\u3092\u76e3\u8996\u3057\u3066\u30ed\u30b0\u8a18\u9332\u3059\u308b\u30c4\u30fc\u30eb\uff09\u306eLinux\u7248\u3068\u306a\u308b<br \/>\nSysmonForLinux\u3092\u4f7f\u7528\u3057\u3066\u3001Linux\u30c7\u30d0\u30a4\u30b9\u304b\u3089Sysmon\u304c\u53d6\u5f97\u3059\u308b\u30ed\u30b0\u3092\u5f0a\u793e\u88fd\u54c1LogStare Collector\u3067\u53ce\u96c6\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u6b21<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\" >SysmonForLinux\u306b\u3064\u3044\u3066<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%82%B5%E3%83%BC%E3%83%90%E6%A7%8B%E6%88%90%E3%81%A8%E6%A7%8B%E6%88%90%E5%9B%B3\" >\u30b5\u30fc\u30d0\u69cb\u6210\u3068\u69cb\u6210\u56f3<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#Ubuntu_2004_%E3%81%BE%E3%81%9F%E3%81%AF_1804\" >Ubuntu 20.04 \u307e\u305f\u306f 18.04<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB\" >SysmonForLinux\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AE%E5%AE%9F%E8%A1%8C\" >SysmonForLinux\u306e\u5b9f\u884c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#Syslog%E3%81%AE%E8%BB%A2%E9%80%81\" >Syslog\u306e\u8ee2\u9001<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#AlmaLinux85\" >AlmaLinux8.5<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#Syslog%E3%81%AE%E8%A8%AD%E5%AE%9A\" >Syslog\u306e\u8a2d\u5b9a<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB-2\" >SysmonForLinux\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AE%E5%AE%9F%E8%A1%8C-2\" >SysmonForLinux\u306e\u5b9f\u884c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%82%AB%E3%83%BC%E3%83%8D%E3%83%AB%E3%81%AE%E3%83%90%E3%83%BC%E3%82%B8%E3%83%A7%E3%83%B3%E3%82%A2%E3%83%83%E3%83%97\" >\u30ab\u30fc\u30cd\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u30a2\u30c3\u30d7<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#SysmonForLinux%E3%81%AEXML%E8%A8%AD%E5%AE%9A%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\" >SysmonForLinux\u306eXML\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u3064\u3044\u3066<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#LogStare_Collector%E3%81%AE%E8%A8%AD%E5%AE%9A\" >LogStare Collector\u306e\u8a2d\u5b9a<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%82%BF%E3%82%A4%E3%83%A0%E3%82%BE%E3%83%BC%E3%83%B3%E3%81%AE%E7%A2%BA%E8%AA%8D\" >\u30bf\u30a4\u30e0\u30be\u30fc\u30f3\u306e\u78ba\u8a8d<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E7%9B%A3%E8%A6%96%E5%AF%BE%E8%B1%A1%E3%83%87%E3%83%90%E3%82%A4%E3%82%B9%E3%81%AE%E8%BF%BD%E5%8A%A0\" >\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u306e\u8ffd\u52a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E7%9B%A3%E8%A6%96%E5%AF%BE%E8%B1%A1%E3%83%87%E3%83%90%E3%82%A4%E3%82%B9%E3%81%AESYSLOG%E5%8F%8E%E9%9B%86%E3%82%92%E3%81%A7%E3%81%8D%E3%82%8B%E3%82%88%E3%81%86%E3%81%AB%E3%81%99%E3%82%8B\" >\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u306eSYSLOG\u53ce\u96c6\u3092\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#LogStare_Collector%E3%81%8B%E3%82%89%E3%81%AE%E3%83%AD%E3%82%B0%E5%8F%96%E5%BE%97%E4%BE%8B\" >LogStare Collector\u304b\u3089\u306e\u30ed\u30b0\u53d6\u5f97\u4f8b<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%83%90%E3%83%83%E3%83%81%E5%87%A6%E7%90%86%E3%81%AE%E8%B5%B7%E5%8B%95%E3%82%92%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\" >\u30d0\u30c3\u30c1\u51e6\u7406\u306e\u8d77\u52d5\u3092\u78ba\u8a8d\u3059\u308b<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%82%A8%E3%83%A9%E3%83%BC%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8C%E5%87%BA%E5%8A%9B%E3%81%95%E3%82%8C%E3%81%A6%E3%81%84%E3%81%AA%E3%81%84%E3%81%8B%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\" >\u30a8\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3059\u308b<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#%E3%83%90%E3%83%83%E3%83%81%E5%AE%9F%E8%A1%8C%E5%BE%8C%E3%81%AB%E7%B5%90%E6%9E%9C%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8C%E5%87%BA%E5%8A%9B%E3%81%95%E3%82%8C%E3%81%A6%E3%81%84%E3%82%8B%E3%81%8B%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\" >\u30d0\u30c3\u30c1\u5b9f\u884c\u5f8c\u306b\u7d50\u679c\u30d5\u30a1\u30a4\u30eb\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3059\u308b<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/www.secuavail.com\/kb\/windows-linux\/sysmonforlinux-ubuntu-almalinux\/#LogStare_Collector%E3%81%A8%E3%81%AE%E7%B5%84%E3%81%BF%E5%90%88%E3%82%8F%E3%81%9B%E3%81%A7%E5%BC%B7%E5%8A%9B%E3%81%AA%E3%83%84%E3%83%BC%E3%83%AB%E3%81%AB\" >LogStare Collector\u3068\u306e\u7d44\u307f\u5408\u308f\u305b\u3067\u5f37\u529b\u306a\u30c4\u30fc\u30eb\u306b<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\"><\/span>SysmonForLinux\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>SysmonForLinux\u3092\u8d77\u52d5\u3057\u3066\u304a\u304f\u3068\u3001\u767a\u751f\u3057\u305f\u30a4\u30d9\u30f3\u30c8\u304c\/var\/log\/syslog\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002<\/p>\n<p>\u307e\u305f\u3001\u5185\u90e8\u3067SysinternalsEBPF\u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u3053\u308c\u3082\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u5fc5\u8981\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>SysinternalsEBPF\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30c7\u30a3\u30b9\u30af\u30ea\u30d7\u30bf\u3084\u30bd\u30b1\u30c3\u30c8\u304b\u3089\u60c5\u5831\u3092\u53d6\u5f97\u3057\u3066\u3001SysmonForLinux\u306b\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u203b\u8a73\u3057\u3044\u6280\u8853\u5185\u5bb9\u306b\u95a2\u3057\u3066\u306f\u3001<a href=\"https:\/\/www.kernel.org\/doc\/html\/latest\/bpf\/index.html\" target=\"_blank\" rel=\"noopener\">Linux\u30ab\u30fc\u30cd\u30eb\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306eBPF\u9805\u76ee<\/a>\u3084\u3001eBPF(Extended Berkeley Packet Filter)\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E3%82%B5%E3%83%BC%E3%83%90%E6%A7%8B%E6%88%90%E3%81%A8%E6%A7%8B%E6%88%90%E5%9B%B3\"><\/span>\u30b5\u30fc\u30d0\u69cb\u6210\u3068\u69cb\u6210\u56f3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\uff11\uff08Ubuntu\uff09<\/li>\n<li>\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\uff12\uff08AlmaLinux\uff09<\/li>\n<li>\u30ed\u30b0\u53ce\u96c6\u76e3\u8996\u30b5\u30fc\u30d0LogStare Collector<\/li>\n<\/ul>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11073\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/SysmonLinux-Ubuntu-AlmaLinux-kousei.png\" alt=\"SysmonLinux-Ubuntu-AlmaLinux\u69cb\u6210\u56f3\" width=\"580\" height=\"188\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/SysmonLinux-Ubuntu-AlmaLinux-kousei.png 580w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/SysmonLinux-Ubuntu-AlmaLinux-kousei-300x97.png 300w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/h2>\n<h2><span class=\"ez-toc-section\" id=\"Ubuntu_2004_%E3%81%BE%E3%81%9F%E3%81%AF_1804\"><\/span>Ubuntu 20.04 \u307e\u305f\u306f 18.04<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5b9f\u969b\u306b\u4f7f\u3063\u305f\u306e\u306fUbuntu Server 20.04.3 LTS\u3067\u3059\u3002Ubuntu 18.04.6 LTS\u3067\u3082\u540c\u69d8\u306e\u624b\u9806\u3067\u51fa\u6765\u307e\u3057\u305f\u3002<\/p>\n<p>\u30a4\u30e1\u30fc\u30b8\u30d5\u30a1\u30a4\u30eb\u306eUbuntu-20.04.3-live-server-amd64.iso\u306fhttps:\/\/jp.ubuntu.com\/download\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3067\u304d\u307e\u3059\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB\"><\/span>SysmonForLinux\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>deb\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u767b\u9332\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ wget -q https:\/\/packages.microsoft.com\/config\/ubuntu\/$(lsb_release -rs)\/packages-microsoft-prod.deb -O packages-microsoft-prod.deb\r\n$ sudo dpkg -i packages-microsoft-prod.deb<\/pre>\n<p>SysinternalsEBPF\u30e9\u30a4\u30d6\u30e9\u30ea\u3068SysmonForLinux\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo apt-get update\r\n$ sudo apt-get install sysinternalsebpf\r\n$ sudo apt-get install sysmonforlinux<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AE%E5%AE%9F%E8%A1%8C\"><\/span>SysmonForLinux\u306e\u5b9f\u884c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>SysmonForLinux\u3092\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002-i\u30aa\u30d7\u30b7\u30e7\u30f3\u306e\u5f8c\u306bXML\u30b3\u30f3\u30d5\u30a3\u30b0\u30d5\u30a1\u30a4\u30eb\uff08\u8a73\u7d30\u306f\u5f8c\u8ff0\uff09\u306f\u3001\u6307\u5b9a\u3057\u306a\u304f\u3066\u3082\u30c7\u30d5\u30a9\u30eb\u30c8\u8a2d\u5b9a\u306e\u30d5\u30a3\u30eb\u30bf\u306a\u3057\u3067\u5168\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u53d6\u5f97\u72b6\u614b\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo sysmon -accepteula -i<\/pre>\n<p>\u30ed\u30b0\u304c\u66f8\u304d\u8fbc\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo tail -f \/var\/log\/syslog<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Syslog%E3%81%AE%E8%BB%A2%E9%80%81\"><\/span>Syslog\u306e\u8ee2\u9001<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>LogStare Collector\u3078\u30ed\u30b0\u3092\u8ee2\u9001\u3059\u308b\u305f\u3081\u3001\/etc\/rsyslog.conf\u306b\u4e0b\u8a18\u306e\u8a2d\u5b9a\u3092\u8ffd\u8a18\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">*.* @192.168.56.122:514<\/pre>\n<p>\u203b192.168.56.122\u306f\u8ee2\u9001\u5148LogStare Collector\u30b5\u30fc\u30d0\u306eIP\u30a2\u30c9\u30ec\u30b9\u3067\u3059\u3002\u74b0\u5883\u306b\u5408\u308f\u305b\u3066\u5909\u66f4\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>rsyslog.service\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo systemctl restart rsyslog.service<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"AlmaLinux85\"><\/span>AlmaLinux8.5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>AlmaLinux8.5\u306e\u5834\u5408\u3001\u30ab\u30fc\u30cd\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u5bfe\u5fdc\u3057\u3066\u3044\u306a\u3044\u306e\u304b\u3001\u6b63\u3057\u304f\u62fe\u3048\u306a\u304b\u3063\u305f\u306e\u304b\u3001SysmonForLinux\u304c\u53e4\u3044\u30ab\u30fc\u30cd\u30eb\u7528\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u547c\u3073\u51fa\u305d\u3046\u3068\u3057\u3066\u3057\u307e\u3046\u305f\u3081\u3001\u30ab\u30fc\u30cd\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u30a2\u30c3\u30d7\u3082\u5fc5\u8981\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Syslog%E3%81%AE%E8%A8%AD%E5%AE%9A\"><\/span>Syslog\u306e\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>AlmaLinux8.5\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u76f4\u5f8c\u306e\u72b6\u614b\u306f\u3001\/var\/log\/syslog\u306b\u66f8\u304d\u8fbc\u3080\u8a2d\u5b9a\u304c\u4f55\u3082\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p>\u307e\u305f\u3001LogStare Collector\u3078\u30ed\u30b0\u3092\u8ee2\u9001\u3082\u3059\u308b\u305f\u3081\u3001\/etc\/rsyslog.conf\u306b\/var\/log\/syslog\u306e\u66f8\u304d\u8fbc\u307f\u3068\u8ee2\u9001\u306e\u8a2d\u5b9a\u3092\u8ffd\u8a18\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">*.*;auth,authpriv.none -\/var\/log\/syslog\r\n*.* @192.168.56.122:514<\/pre>\n<p>rsyslog.service\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo systemctl restart rsyslog.service<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AE%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB-2\"><\/span>SysmonForLinux\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>AlmaLinux\u7528\u304c\u5b58\u5728\u3057\u306a\u3044\u305f\u3081\u3001CentOS\u7528\u3067\u4ee3\u7528\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo rpm -Uvh\r\nhttps:\/\/packages.microsoft.com\/config\/centos\/8\/packages-microsoft-prod.rpm\r\n$ sudo yum install sysinternalsebpf\r\n$ sudo yum install sysmonforlinux<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AE%E5%AE%9F%E8%A1%8C-2\"><\/span>SysmonForLinux\u306e\u5b9f\u884c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>SysmonForLinux\u3092\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002-i\u30aa\u30d7\u30b7\u30e7\u30f3\u306e\u5f8c\u306bXML\u30b3\u30f3\u30d5\u30a3\u30b0\u30d5\u30a1\u30a4\u30eb\uff08\u8a73\u7d30\u306f\u5f8c\u8ff0\uff09\u306f\u3001\u6307\u5b9a\u3057\u306a\u304f\u3066\u3082\u30c7\u30d5\u30a9\u30eb\u30c8\u8a2d\u5b9a\u306e\u30d5\u30a3\u30eb\u30bf\u306a\u3057\u3067\u5168\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u53d6\u5f97\u72b6\u614b\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo sysmon -accepteula -i<\/pre>\n<p>\u30ed\u30b0\u306b\u306f\u3001Sysmon\u304c\u53c2\u7167\u3059\u308b\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u304c\u7570\u306a\u308b\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u305f\u3081\u3001\u30a8\u30e9\u30fc\u304c\u51fa\u529b\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo tail -f \/var\/log\/syslog<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"%E3%82%AB%E3%83%BC%E3%83%8D%E3%83%AB%E3%81%AE%E3%83%90%E3%83%BC%E3%82%B8%E3%83%A7%E3%83%B3%E3%82%A2%E3%83%83%E3%83%97\"><\/span>\u30ab\u30fc\u30cd\u30eb\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u30a2\u30c3\u30d7<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u30ea\u30dd\u30b8\u30c8\u30ea\u3092\u767b\u9332\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo rpm --import https:\/\/www.elrepo.org\/RPM-GPG-KEY-elrepo.org\r\n$ sudo yum install https:\/\/www.elrepo.org\/elrepo-release-8.el8.elrepo.noarch.rpm<\/pre>\n<p>\u4eca\u56de\u306f\u30ab\u30fc\u30cd\u30eb5.4.177-1\u3092\u9078\u629e\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u3001\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo yum --enablerepo=elrepo-kernel install kernel-lt kernel-lt-devel kernel-lt-headers\r\nreboot<\/pre>\n<p>\u30ab\u30fc\u30cd\u30eb\u304c\u30d0\u30fc\u30b8\u30e7\u30f3\u30a2\u30c3\u30d7\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo uname -a\r\nLinux ubuntu 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU\/Linux<\/pre>\n<p>\u6539\u3081\u3066Sysmon\u306e\u30ed\u30b0\u304c\u9332\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo tail -f \/var\/log\/syslog<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"SysmonForLinux%E3%81%AEXML%E8%A8%AD%E5%AE%9A%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\"><\/span>SysmonForLinux\u306eXML\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306f\u3001\/opt\/sysmon\/config.xml\u306b\u3042\u308a\u3001\u8a2d\u5b9a\u3092\u5909\u66f4\u3059\u308b\u3068\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u66f4\u65b0\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u306f26\u7a2e\u985e+\u30a8\u30e9\u30fc1\u7a2e\u985e\u306e\u8a0827\u7a2e\u985e\u3042\u308a\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u306e\u30ed\u30b0\u306f\u51fa\u529b\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002<\/p>\n<p>\u4eca\u56de\u306f\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u3082\u76e3\u8996\u3057\u305f\u3044\u305f\u3081\u3001\u4ee5\u4e0b\u306econfig.xml\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">&lt;Sysmon schemaversion=\"4.81\"&gt;\r\n&lt;EventFiltering&gt;\r\n        &lt;RuleGroup name=\"\" groupRelation=\"or\"&gt;\r\n                &lt;FileCreate onmatch=\"exclude\"&gt;\r\n                &lt;\/FileCreate&gt;\r\n        &lt;\/RuleGroup&gt;\r\n&lt;\/EventFiltering&gt;\r\n&lt;\/Sysmon&gt;<\/pre>\n<p>\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001\u5148\u307b\u3069\u4f5c\u6210\u3057\u305fxml\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u306b\u66f4\u65b0\u3057\u3001\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u306e\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u3082\u53d6\u5f97\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo sysmon -c config.xml<\/pre>\n<p>\u5c1a\u3001\u8a2d\u5b9a\u3092\u30c7\u30d5\u30a9\u30eb\u30c8\u306b\u623b\u3057\u305f\u3044\u3068\u304d\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u521d\u671f\u5316\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo sysmon -c --<\/pre>\n<p>SysmonForLinux\u306e\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u4e00\u89a7\u3067\u3059\u3002<\/p>\n<table style=\"border-collapse: collapse; width: 99.8505%; height: 730px;\">\n<tbody>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\"><strong>ID<\/strong><\/td>\n<td style=\"width: 51.4695%; height: 30px;\"><strong>\u30a4\u30d9\u30f3\u30c8\u540d<\/strong><\/td>\n<td style=\"width: 34.2877%; height: 30px;\"><strong>\u30a4\u30d9\u30f3\u30c8\u306e\u5185\u5bb9<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 20px;\">255<\/td>\n<td style=\"width: 51.4695%; height: 20px;\">SYSMONEVENT_ERROR<\/td>\n<td style=\"width: 34.2877%; height: 20px;\">\u30a8\u30e9\u30fc<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">1<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_CREATE_PROCESS<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30d7\u30ed\u30bb\u30b9\u306e\u4f5c\u6210<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">2<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_FILE_TIME<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30d7\u30ed\u30bb\u30b9\u306b\u3088\u3063\u3066\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u6642\u523b\u304c\u5909\u66f4\u3055\u308c\u307e\u3057\u305f<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">3<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_NETWORK_CONNECT<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">4<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_SERVICE_STATE_CHANGE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">Sysmon \u30b5\u30fc\u30d3\u30b9\u306e\u72b6\u614b\u304c\u5909\u66f4\u3055\u308c\u307e\u3057\u305f<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">5<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_PROCESS_TERMINATE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30d7\u30ed\u30bb\u30b9\u304c\u7d42\u4e86\u3057\u307e\u3057\u305f<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">6<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_DRIVER_LOAD<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30c9\u30e9\u30a4\u30d0\u30fc\u304c\u8aad\u307f\u8fbc\u307e\u308c\u307e\u3057\u305f<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">7<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_IMAGE_LOAD<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">\u30a4\u30e1\u30fc\u30b8\u304c\u8aad\u307f\u8fbc\u307e\u308c\u307e\u3057\u305f<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">8<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_CREATE_REMOTE_THREAD<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">CreateRemoteThread<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">9<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_RAWACCESS_READ<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">RawAccessRead<\/td>\n<\/tr>\n<tr style=\"height: 10px;\">\n<td style=\"width: 14.093%; height: 10px;\">10<\/td>\n<td style=\"width: 51.4695%; height: 10px;\">SYSMONEVENT_ACCESS_PROCESS<\/td>\n<td style=\"width: 34.2877%; height: 10px;\">ProcessAccess<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">11<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_FILE_CREATE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">FileCreate<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">12<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_REG_KEY<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">RegistryEvent (\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u4f5c\u6210\u3068\u524a\u9664)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">13<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_REG_SETVALUE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">RegistryEvent (\u5024\u30bb\u30c3\u30c8)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">14<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_REG_NAME<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">RegistryEvent (\u30ad\u30fc\u3068\u5024\u306e\u540d\u524d\u5909\u66f4)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">15<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_FILE_CREATE_STREAM_HASH<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">FileCreateStreamHash<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">16<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">ServiceConfigurationChange<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">17<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_CREATE_NAMEDPIPE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">PipeEvent (\u4f5c\u6210\u3055\u308c\u305f\u30d1\u30a4\u30d7)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">18<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_CONNECT_NAMEDPIPE<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">PipeEvent (\u30d1\u30a4\u30d7\u63a5\u7d9a\u6e08\u307f)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">19<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_WMI_FILTER<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">WmiEvent (WmiEventFilter \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u691c\u51fa\u3055\u308c\u307e\u3057\u305f)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">20<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_WMI_CONSUMER<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">WmiEvent (WmiEventConsumer \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u691c\u51fa\u3055\u308c\u307e\u3057\u305f)<\/td>\n<\/tr>\n<tr style=\"height: 10px;\">\n<td style=\"width: 14.093%; height: 10px;\">21<\/td>\n<td style=\"width: 51.4695%; height: 10px;\">SYSMONEVENT_WMI_BINDING<\/td>\n<td style=\"width: 34.2877%; height: 10px;\">WmiEvent (WmiEventConsumerToFilter \u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u304c\u691c\u51fa\u3055\u308c\u307e\u3057\u305f)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">22<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_DNS_QUERY<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">DNSEvent (DNS \u30af\u30a8\u30ea)<\/td>\n<\/tr>\n<tr style=\"height: 10px;\">\n<td style=\"width: 14.093%; height: 10px;\">23<\/td>\n<td style=\"width: 51.4695%; height: 10px;\">SYSMONEVENT_FILE_DELETE<\/td>\n<td style=\"width: 34.2877%; height: 10px;\">FileDelete (\u30a2\u30fc\u30ab\u30a4\u30d6\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u524a\u9664)<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"width: 14.093%; height: 30px;\">24<\/td>\n<td style=\"width: 51.4695%; height: 30px;\">SYSMONEVENT_CLIPBOARD<\/td>\n<td style=\"width: 34.2877%; height: 30px;\">ClipboardChange (\u30af\u30ea\u30c3\u30d7\u30dc\u30fc\u30c9\u306e\u65b0\u3057\u3044\u30b3\u30f3\u30c6\u30f3\u30c4)<\/td>\n<\/tr>\n<tr style=\"height: 10px;\">\n<td style=\"width: 14.093%; height: 10px;\">25<\/td>\n<td style=\"width: 51.4695%; height: 10px;\">SYSMONEVENT_PROCESS_IMAGE_TAMPERING<\/td>\n<td style=\"width: 34.2877%; height: 10px;\">ProcessTampering (\u30d7\u30ed\u30bb\u30b9 \u30a4\u30e1\u30fc\u30b8\u306e\u5909\u66f4)<\/td>\n<\/tr>\n<tr style=\"height: 10px;\">\n<td style=\"width: 14.093%; height: 10px;\">26<\/td>\n<td style=\"width: 51.4695%; height: 10px;\">SYSMONEVENT_FILE_DELETE_DETECTED<\/td>\n<td style=\"width: 34.2877%; height: 10px;\">FileDeleteDetected (\u30d5\u30a1\u30a4\u30eb\u306e\u524a\u9664\u304c\u30ed\u30b0\u306b\u8a18\u9332\u3055\u308c\u307e\u3057\u305f)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f7f\u7528\u53ef\u80fd\u306a\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u306f\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo sysmon -s<\/pre>\n<p>event name\u306e\u307f\u62fe\u3063\u3066\u307f\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 100%;\">$ sudo sysmon -s | grep 'event name' | sed 's\/.*event name=\\\"\\(.*\\)\\\" value=\\\"\\([0-9]*\\)[^0-9].*\/\\2\\t\\1\/'<\/p>\n<p>255 SYSMONEVENT_ERROR<br \/>\n1 SYSMONEVENT_CREATE_PROCESS<br \/>\n2 SYSMONEVENT_FILE_TIME<br \/>\n3 SYSMONEVENT_NETWORK_CONNECT<br \/>\n4 SYSMONEVENT_SERVICE_STATE_CHANGE<br \/>\n5 SYSMONEVENT_PROCESS_TERMINATE<br \/>\n6 SYSMONEVENT_DRIVER_LOAD<br \/>\n7 SYSMONEVENT_IMAGE_LOAD<br \/>\n8 SYSMONEVENT_CREATE_REMOTE_THREAD<br \/>\n9 SYSMONEVENT_RAWACCESS_READ<br \/>\n10 SYSMONEVENT_ACCESS_PROCESS<br \/>\n11 SYSMONEVENT_FILE_CREATE<br \/>\n12 SYSMONEVENT_REG_KEY<br \/>\n13 SYSMONEVENT_REG_SETVALUE<br \/>\n14 SYSMONEVENT_REG_NAME<br \/>\n15 SYSMONEVENT_FILE_CREATE_STREAM_HASH<br \/>\n16 SYSMONEVENT_SERVICE_CONFIGURATION_CHANGE<br \/>\n17 SYSMONEVENT_CREATE_NAMEDPIPE<br \/>\n18 SYSMONEVENT_CONNECT_NAMEDPIPE<br \/>\n19 SYSMONEVENT_WMI_FILTER<br \/>\n20 SYSMONEVENT_WMI_CONSUMER<br \/>\n21 SYSMONEVENT_WMI_BINDING<br \/>\n22 SYSMONEVENT_DNS_QUERY<br \/>\n23 SYSMONEVENT_FILE_DELETE<br \/>\n24 SYSMONEVENT_CLIPBOARD<br \/>\n25 SYSMONEVENT_PROCESS_IMAGE_TAMPERING<br \/>\n26 SYSMONEVENT_FILE_DELETE_DETECTED<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u203b\u8a2d\u5b9a\u306b\u95a2\u3057\u3066\u306e\u8a73\u7d30\u306f\u3001\u30de\u30cb\u30e5\u30a2\u30eb\u7b49\u3067\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002<br \/>\n<a href=\"https:\/\/docs.microsoft.com\/ja-jp\/sysinternals\/downloads\/sysmon\" target=\"_blank\" rel=\"noopener\">Microsoft\uff1aSysmon v 13.33<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"LogStare_Collector%E3%81%AE%E8%A8%AD%E5%AE%9A\"><\/span>LogStare Collector\u306e\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>LogStare Collector\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u306b\u3064\u304d\u307e\u3057\u3066\u306f\u4e0b\u8a18\u306e\u30de\u30cb\u30e5\u30a2\u30eb\u3092\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><a href=\"https:\/\/www.secuavail.com\/kb\/references\/ref-200812_01\/\">Linux\u7248\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5<\/a><br \/>\n<a href=\"https:\/\/www.secuavail.com\/kb\/references\/ref-200820_01\/\">Windows\u7248\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5<\/a><\/p>\n<p>LogStare Collector\u306bSysmonForLinux\u306e\u30ed\u30b0\u3092\u53d7\u4fe1\u3067\u304d\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<p>514\u30dd\u30fc\u30c8\u306eUDP\u53d7\u4fe1\u3067\u304d\u3066\u3001\u76e3\u8996\u5bfe\u8c61\u306e\u30c7\u30d0\u30a4\u30b9\u304b\u3089Syslog\u306e\u8ee2\u9001\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u72b6\u614b\u3068\u3057\u307e\u3059\u3002Firewalld\u3067\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u3001514\u30dd\u30fc\u30c8\u306eUDP\u53d7\u4fe1\u3092\u53ef\u80fd\u306b\u3059\u308b\u306b\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo firewall-cmd \u2013-add-port=514\/udp \u2013-permanent\r\n$ sudo firewall-cmd \u2013-reload<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"%E3%82%BF%E3%82%A4%E3%83%A0%E3%82%BE%E3%83%BC%E3%83%B3%E3%81%AE%E7%A2%BA%E8%AA%8D\"><\/span>\u30bf\u30a4\u30e0\u30be\u30fc\u30f3\u306e\u78ba\u8a8d<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u753b\u9762\u5de6\u4e0a\u306e\u30ae\u30a2\u30a2\u30a4\u30b3\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u30e1\u30cb\u30e5\u30fc\u306e\u300c\u74b0\u5883\u8a2d\u5b9a\u300d\u3092\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11108\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image1-2.png\" alt=\"\u30e1\u30cb\u30e5\u30fc\u306e\u300c\u74b0\u5883\u8a2d\u5b9a\u300d\u3092\u30af\u30ea\u30c3\u30af\" width=\"205\" height=\"304\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image1-2.png 205w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image1-2-202x300.png 202w\" sizes=\"auto, (max-width: 205px) 100vw, 205px\" \/><\/p>\n<p>\u74b0\u5883\u8a2d\u5b9a\u753b\u9762\u306e\u30bf\u30a4\u30e0\u30be\u30fc\u30f3\u304c\u3001\u300c(UTC+09:00) Japan Standard Time\u300d\u3068\u306a\u3063\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11109\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image2-2.png\" alt=\"\" width=\"937\" height=\"244\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image2-2.png 937w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image2-2-300x78.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image2-2-768x200.png 768w\" sizes=\"auto, (max-width: 937px) 100vw, 937px\" \/><\/p>\n<p>\u65e5\u672c\u6642\u9593\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u306f\u3001LogStare Collector\u30b5\u30fc\u30d0\u3067\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001\u30bf\u30a4\u30e0\u30be\u30fc\u30f3\u3092\u5909\u66f4\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">$ sudo timedatectl set-timezone Asia\/Tokyo<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"%E7%9B%A3%E8%A6%96%E5%AF%BE%E8%B1%A1%E3%83%87%E3%83%90%E3%82%A4%E3%82%B9%E3%81%AE%E8%BF%BD%E5%8A%A0\"><\/span>\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u306e\u8ffd\u52a0<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u753b\u9762\u5de6\u4e0a\u30e1\u30cb\u30e5\u30fc\u306e\u30b9\u30d1\u30ca\u30a2\u30a4\u30b3\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u300c\u30c7\u30d0\u30a4\u30b9\u30fb\u30b0\u30eb\u30fc\u30d7\u300d\u3092\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11110\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image3-2.png\" alt=\"\" width=\"205\" height=\"218\" \/><\/p>\n<p>\u76e3\u8996\u30fb\u30ed\u30b0\u53ce\u96c6\u8a2d\u5b9a\u306e\u30c7\u30d0\u30a4\u30b9\u30fb\u30b0\u30eb\u30fc\u30d7\u753b\u9762\u304c\u958b\u3044\u305f\u3089\u3001<br \/>\n\u30c7\u30d0\u30a4\u30b9\u4e00\u89a7\u306e\u53f3\u4e0a\u306e\uff0b\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11111\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image4-1.png\" alt=\"\" width=\"876\" height=\"206\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image4-1.png 876w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image4-1-300x71.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image4-1-768x181.png 768w\" sizes=\"auto, (max-width: 876px) 100vw, 876px\" \/><\/p>\n<p>\u30c7\u30d0\u30a4\u30b9\u306e\u8ffd\u52a0\u30c0\u30a4\u30a2\u30ed\u30b0\u304c\u8868\u793a\u3055\u308c\u3001\u4efb\u610f\u306e\u300c\u30c7\u30d0\u30a4\u30b9\u540d\u300d\u3068\u3001\u76e3\u8996\u5bfe\u8c61\u306e\u300cIP\u30a2\u30c9\u30ec\u30b9\u300d\u3092\u5165\u529b\u3057\u3066\u3001\u4e0b\u90e8\u306e\u8ffd\u52a0\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u3001\u76e3\u8996\u5bfe\u8c61\u306e\u30c7\u30d0\u30a4\u30b9\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11112\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image5-1.png\" alt=\"\" width=\"563\" height=\"528\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image5-1.png 563w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image5-1-300x281.png 300w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E7%9B%A3%E8%A6%96%E5%AF%BE%E8%B1%A1%E3%83%87%E3%83%90%E3%82%A4%E3%82%B9%E3%81%AESYSLOG%E5%8F%8E%E9%9B%86%E3%82%92%E3%81%A7%E3%81%8D%E3%82%8B%E3%82%88%E3%81%86%E3%81%AB%E3%81%99%E3%82%8B\"><\/span>\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u306eSYSLOG\u53ce\u96c6\u3092\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u30c7\u30d0\u30a4\u30b9\u304c\u8ffd\u52a0\u3055\u308c\u305f\u3089\u3001\u2460\u300c\u76e3\u8996\u30fb\u53ce\u96c6\u300d\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u8ffd\u52a0\u3057\u305f\u30c7\u30d0\u30a4\u30b9\u3092\u2461\u300cSysmonOnAlmaLinux\u300d\u30af\u30ea\u30c3\u30af\u3057\u3066\u9078\u629e\u3057\u307e\u3059\u3002\u2462\u300c\uff0b\u300d\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u76e3\u8996\u30fb\u53ce\u96c6\u8ffd\u52a0\u30c0\u30a4\u30a2\u30ed\u30b0\u3092\u958b\u304d\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11113\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image6-1.png\" alt=\"\" width=\"861\" height=\"230\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image6-1.png 861w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image6-1-300x80.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image6-1-768x205.png 768w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/p>\n<p>\u30e9\u30b8\u30aa\u30dc\u30bf\u30f3\u306e\u53ce\u96c6\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u30ed\u30b0\u53ce\u96c6\u65b9\u5f0f\u3092\u9078\u629e\u3057\u3066\u304f\u3060\u3055\u3044\u30bb\u30ec\u30af\u30bf\u304b\u3089\u300cSYSLOG\u53ce\u96c6\u300d\u3092\u9078\u629e\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11114\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image7-1.png\" alt=\"\" width=\"533\" height=\"626\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image7-1.png 533w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image7-1-255x300.png 255w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><\/p>\n<p>SYSLOG\u53ce\u96c6\u7528\u306e\u5165\u529b\u9805\u76ee\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u306e\u3067\u3001\u300c\u30c7\u30d0\u30a4\u30b9\u30fb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u7a2e\u985e\u300d\u306b\u4efb\u610f\u306e\u540d\u524d\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n<p>\u6b21\u306b\u300c\u30d5\u30a1\u30b7\u30ea\u30c6\u30a3\u300d\u3068\u300c\u30d7\u30e9\u30a4\u30aa\u30ea\u30c6\u30a3\u300d\u306e\u300c\u5168\u3066\u9078\u629e\/\u89e3\u9664\u300d\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u9805\u76ee\u3059\u3079\u3066\u3092\u30c1\u30a7\u30c3\u30af\u72b6\u614b\u306b\u3057\u307e\u3059\u3002<\/p>\n<p>\u4e0b\u90e8\u306e\u8ffd\u52a0\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u3001\u76e3\u8996\u5bfe\u8c61\u30c7\u30d0\u30a4\u30b9\u306eSYSLOG\u3092\u53ce\u96c6\u3059\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11115\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image8-1.png\" alt=\"\" width=\"533\" height=\"626\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image8-1.png 533w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image8-1-255x300.png 255w\" sizes=\"auto, (max-width: 533px) 100vw, 533px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"LogStare_Collector%E3%81%8B%E3%82%89%E3%81%AE%E3%83%AD%E3%82%B0%E5%8F%96%E5%BE%97%E4%BE%8B\"><\/span>LogStare Collector\u304b\u3089\u306e\u30ed\u30b0\u53d6\u5f97\u4f8b<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u3088\u304f\u3042\u308b\u30d0\u30c3\u30c1\u51e6\u7406\u306e\u4ed5\u69d8\u306f\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3068\u3057\u307e\u3059\u3002<\/p>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 100%;\">\n<ul>\n<li>\u30d0\u30c3\u30c1\u51e6\u7406\u3092\u884c\u3046awk\u30d5\u30a1\u30a4\u30eb\u540d\u306fcalc.awk<\/li>\n<li>input_YYYYMMDD.csv\u30d5\u30a1\u30a4\u30eb\u306b\u5bfe\u3057\u3066\u3001\u96c6\u8a08\u8a08\u7b97\u3092\u884c\u3044\u3001\u7d50\u679c\u3092summary_YYYYMMDD.csv\u3092\u51fa\u529b\u3059\u308b\u3002\u305f\u3060\u3057\u3001\u5b9f\u884c\u65e5\u4ee5\u5916\u306e\u65e5\u4ed8\u306f\u7121\u8996\u3059\u308b\u3002<\/li>\n<li>\u65e2\u77e5\u306e\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u305f\u5834\u5408\u306f\u3001error_YYYYMMDD.log\u30d5\u30a1\u30a4\u30eb\u306b\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u66f8\u304d\u8fbc\u307f\u3001\u51e6\u7406\u3092\u4e2d\u65ad\u3057\u3066\u7d42\u4e86\u3059\u308b\u3002<\/li>\n<li>\u5b9f\u884c\u51e6\u7406\u306b2\u6642\u9593\u7a0b\u5ea6\u304b\u304b\u308b\u3002<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><span class=\"ez-toc-section\" id=\"%E3%83%90%E3%83%83%E3%83%81%E5%87%A6%E7%90%86%E3%81%AE%E8%B5%B7%E5%8B%95%E3%82%92%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\"><\/span>\u30d0\u30c3\u30c1\u51e6\u7406\u306e\u8d77\u52d5\u3092\u78ba\u8a8d\u3059\u308b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5de6\u4e0a\u30e1\u30cb\u30e5\u30fc\u30a2\u30a4\u30b3\u30f3\u306e\u866b\u773c\u93e1\u306e\u4e0b\u306b\u3042\u308b\u7d19\u3092\u91cd\u306d\u305f\u30a2\u30a4\u30b3\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u3001\u300c\u691c\u7d22\u30fb\u30bf\u30a6\u30f3\u30ed\u30fc\u30c9\u300d\u3092\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11116\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image9-1.png\" alt=\"\" width=\"202\" height=\"159\" \/><\/p>\n<p>\u76e3\u8996\u5bfe\u8c61\u306e\u30c7\u30d0\u30a4\u30b9\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u5c55\u958b\u3057\u3001\u30d5\u30a9\u30eb\u30c0\u30a2\u30a4\u30b3\u30f3\u306e\u300cSYSLOG-sysmon\u300d\u3092\u30af\u30ea\u30c3\u30af\u3057\u3066\u691c\u7d22\u5bfe\u8c61\u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002\uff08\u203b\u8a2d\u5b9a\u3057\u305f\u30c7\u30d0\u30a4\u30b9\u30fb\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u7a2e\u985e\u540d\u306b\u3088\u3063\u3066\u5909\u308f\u308a\u307e\u3059\uff09<\/p>\n<p>\u753b\u9762\u4e0a\u90e8\u306e\u691c\u7d22\u671f\u9593\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u3001\u65e5\u4ed8\u5165\u529b\u30dd\u30c3\u30d7\u30a2\u30c3\u30d7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\u30d0\u30c3\u30c1\u51e6\u7406\u306a\u306e\u3067\u3001\u300c\u4eca\u65e5\u300d\u3084\u300c\u6628\u65e5\u300d\u3092\u8a2d\u5b9a\u3059\u308b\u304b\u3001\u6570\u65e5\u524d\u3067\u3042\u308c\u3070\u300c\u81ea\u5206\u3067\u8a2d\u5b9a\u300d\u3067\u691c\u7d22\u3057\u305f\u3044\u671f\u9593\u306b\u8a2d\u5b9a\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>\u691c\u7d22\u671f\u9593\u6a2a\u306b\u3042\u308b\u3001\u691c\u7d22\u30ad\u30fc\u30ef\u30fc\u30c9\u3092\u9069\u5207\u306a\u3082\u306e\uff08\u4eca\u56de\u306fcalc.awk\uff09\u306b\u8a2d\u5b9a\u3057\u3001\u691c\u7d22\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11117\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image10-1.png\" alt=\"\" width=\"1086\" height=\"480\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image10-1.png 1086w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image10-1-300x133.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image10-1-1024x453.png 1024w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image10-1-768x339.png 768w\" sizes=\"auto, (max-width: 1086px) 100vw, 1086px\" \/><\/p>\n<p>\u8a72\u5f53\u3059\u308b\u30ed\u30b0\u306e\u691c\u7d22\u7d50\u679c\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u5b9f\u969b\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5165\u529b\u3057\u307e\u3057\u305f\u304c\u3001\u30ef\u30a4\u30eb\u30c9\u30ab\u30fc\u30c9\u306f\u5c55\u958b\u3055\u308c\u3066\u8a18\u9332\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\"># nohup awk -f clac.awk input_*.txt &amp;<\/pre>\n<p>SysmonForLinux\u306e\u30ed\u30b0\u5185\u5bb9\u306fUTC\u3067\u6253\u523b\u3055\u308c\u3066\u3044\u307e\u3059\u306e\u3067\u3001\u5de6\u90e8\u306b\u8868\u793a\u3055\u308c\u3066\u3044\u308bLogStare Collector\u304c\u53d7\u4fe1\u3057\u305f\u8d64\u4e38\u306e\u65e5\u6642\u3067\u78ba\u8a8d\u3057\u305f\u65b9\u304c\u78ba\u8a8d\u3057\u3084\u3059\u3044\u3067\u3059\u3002<\/p>\n<p>SysmonForLinux\u306e\u30a4\u30d9\u30f3\u30c8ID\u304c1\u3068\u306a\u3063\u3066\u3044\u3066\u3001\u30d0\u30c3\u30c1\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u8d77\u52d5\u3067\u30d7\u30ed\u30bb\u30b9\u304c\u4f5c\u6210\u3055\u308c\u305f\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11118\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image11-1.png\" alt=\"\" width=\"1107\" height=\"537\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image11-1.png 1107w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image11-1-300x146.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image11-1-1024x497.png 1024w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image11-1-768x373.png 768w\" sizes=\"auto, (max-width: 1107px) 100vw, 1107px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E3%82%A8%E3%83%A9%E3%83%BC%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8C%E5%87%BA%E5%8A%9B%E3%81%95%E3%82%8C%E3%81%A6%E3%81%84%E3%81%AA%E3%81%84%E3%81%8B%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\"><\/span>\u30a8\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u306a\u3044\u304b\u78ba\u8a8d\u3059\u308b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u691c\u7d22\u30ad\u30fc\u30ef\u30fc\u30c9\u306b\u30a8\u30e9\u30fc\u30d5\u30a1\u30a4\u30eb\u306e\u63a5\u982d\u8f9e\u300cerror_\u300d\u3092\u5165\u529b\u3057\u3066\u691c\u7d22\u3057\u307e\u3059\u3002<\/p>\n<p>\u300c\u30c7\u30fc\u30bf\u304c\u3042\u308a\u307e\u305b\u3093\u300d\u3068\u8868\u793a\u3055\u308c\u3001\u691c\u7d22\u7d50\u679c\u306b\u30d2\u30c3\u30c8\u3057\u3066\u3044\u306a\u3044\u306e\u3067\u3001\u30a8\u30e9\u30fc\u306f\u306a\u304b\u3063\u305f\u3068\u5224\u65ad\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11119\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image12-1.png\" alt=\"\" width=\"1086\" height=\"374\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image12-1.png 1086w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image12-1-300x103.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image12-1-1024x353.png 1024w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image12-1-768x264.png 768w\" sizes=\"auto, (max-width: 1086px) 100vw, 1086px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E3%83%90%E3%83%83%E3%83%81%E5%AE%9F%E8%A1%8C%E5%BE%8C%E3%81%AB%E7%B5%90%E6%9E%9C%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%81%8C%E5%87%BA%E5%8A%9B%E3%81%95%E3%82%8C%E3%81%A6%E3%81%84%E3%82%8B%E3%81%8B%E7%A2%BA%E8%AA%8D%E3%81%99%E3%82%8B\"><\/span>\u30d0\u30c3\u30c1\u5b9f\u884c\u5f8c\u306b\u7d50\u679c\u30d5\u30a1\u30a4\u30eb\u304c\u51fa\u529b\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d\u3059\u308b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u691c\u7d22\u30ad\u30fc\u30ef\u30fc\u30c9\u306b\u96c6\u8a08\u30d5\u30a1\u30a4\u30eb\u306e\u63a5\u982d\u8f9e\u300csummary_\u300d\u3092\u5165\u529b\u3057\u3066\u691c\u7d22\u3057\u307e\u3059\u3002<\/p>\n<p>\u7d04\uff12\u6642\u9593\u5f8c\u306b\u30a4\u30d9\u30f3\u30c8ID\u304c11\u306e\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u3055\u308c\u305f\u3068\u304d\u306b\u8a18\u9332\u3055\u308c\u308b\u30ed\u30b0\u3092\u691c\u7d22\u3067\u304d\u305f\u306e\u3067\u3001\u7121\u4e8b\u306b\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\u3067\u304d\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-11120\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image13-1.png\" alt=\"\" width=\"1124\" height=\"536\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image13-1.png 1124w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image13-1-300x143.png 300w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image13-1-1024x488.png 1024w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2022\/03\/image13-1-768x366.png 768w\" sizes=\"auto, (max-width: 1124px) 100vw, 1124px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"LogStare_Collector%E3%81%A8%E3%81%AE%E7%B5%84%E3%81%BF%E5%90%88%E3%82%8F%E3%81%9B%E3%81%A7%E5%BC%B7%E5%8A%9B%E3%81%AA%E3%83%84%E3%83%BC%E3%83%AB%E3%81%AB\"><\/span>LogStare Collector\u3068\u306e\u7d44\u307f\u5408\u308f\u305b\u3067\u5f37\u529b\u306a\u30c4\u30fc\u30eb\u306b<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"color: #ff0000;\">LogStare Collector\u306f\u3001SysmonForLinux\u3068\u7d44\u307f\u5408\u308f\u305b\u3066\u3001\u3044\u3064\u30d7\u30ed\u30bb\u30b9\u304c\u5b9f\u884c\u3055\u308c\u3001\u3044\u3064\u30d5\u30a1\u30a4\u30eb\u751f\u6210\u3055\u308c\u305f\u304b\u7b49\u3092\u5f8c\u304b\u3089\u30ed\u30b0\u691c\u7d22\u304c\u3067\u304d\u308b\u5f37\u529b\u306a\u30c4\u30fc\u30eb\u306b\u3082\u306a\u308a\u307e\u3059\u3002\u6709\u511f\u7248\u3068\u540c\u3058\u6a5f\u80fd\u30921\u304b\u6708\u4f7f\u3048\u308b\u8a66\u7528\u7248\uff081\u304b\u6708\u5f8c\u3082\u4e00\u90e8\u5236\u9650\u4ed8\u304d\u3067\u3059\u304c\u3001\u305d\u306e\u307e\u307e\u3054\u4f7f\u7528\u3067\u304d\u307e\u3059\uff09\u306a\u3089\u3001\u958b\u767a\u30b5\u30fc\u30d0\u3084\u30b9\u30c6\u30fc\u30b8\u30f3\u30b0\u74b0\u5883\u306e\u30ed\u30b0\u53ce\u96c6\u306b\u3082\u5341\u5206\u306a\u6a5f\u80fd\u3092\u6301\u3063\u3066\u3044\u307e\u3059\u3002\u662f\u975e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u304a\u4f7f\u3044\u304f\u3060\u3055\u3044\u3002<\/span><\/p>\n<p><span style=\"color: #ff0000;\">\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u306f\u3053\u3061\u3089\u2193<br \/>\n<a href=\"https:\/\/www.logstare.com\/freelsc\/\" target=\"_blank\" rel=\"noopener\">\u8a66\u7528\u7248\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"\u4eca\u56de\u306fSysmon\uff08\u30d7\u30ed\u30bb\u30b9\u4f5c\u6210\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u4f5c\u6210\u3001\u30d5\u30a1\u30a4\u30eb\u64cd\u4f5c\u7b49\u306eWindows\u30a4\u30d9\u30f3\u30c8\u3092\u76e3\u8996\u3057\u3066\u30ed\u30b0\u8a18\u9332\u3059\u308b\u30c4\u30fc\u30eb\uff09\u306eLinux\u7248\u3068\u306a\u308b SysmonForLinux\u3092\u4f7f\u7528\u3057\u3066\u3001Linux\u30c7\u30d0\u30a4\u30b9\u304b\u3089Sysmon\u304c\u53d6 [&hellip;]","protected":false},"author":23,"featured_media":11107,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[50],"tags":[9,17],"class_list":["post-11068","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-linux","tag-linux","tag-lscconf"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/11068","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/comments?post=11068"}],"version-history":[{"count":12,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/11068\/revisions"}],"predecessor-version":[{"id":11648,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/11068\/revisions\/11648"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/media\/11107"}],"wp:attachment":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/media?parent=11068"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/categories?post=11068"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/tags?post=11068"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}