Skip to content

sysmon.service Failed with result #101

New issue
New issue
Closed
Closed
sysmon.service Failed with result#101
@P4T12ICK

Description

@P4T12ICK
P4T12ICK
opened on Mar 14, 2023

Hi guys,
with the latest release we get the following error:

root@ip-10-0-1-21:~# sysmon -accepteula -i /tmp/SysMonLinux-CatchAll.xml

Sysmon v1.1.0 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.

Loading configuration file with schema version 4.70
Sysmon schema version: 4.81
Configuration file validated.
Created symlink /etc/systemd/system/multi-user.target.wants/sysmon.service → /etc/systemd/system/sysmon.service.
Job for sysmon.service failed because the control process exited with error code.
See "systemctl status sysmon.service" and "journalctl -xe" for details.
root@ip-10-0-1-21:~# systemctl status sysmon.service
● sysmon.service - Sysmon event logger
   Loaded: loaded (/etc/systemd/system/sysmon.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2023-03-14 11:53:59 UTC; 7s ago
  Process: 8817 ExecStart=/opt/sysmon/sysmon -i /opt/sysmon/config.xml -service (code=exited, status=12)

Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 369: (bf) r0 = r9
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; size = (size - dlen2) & (PATH_MAX - 1);  // ditto above message a
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 370: (57) r7 &= 4095
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; newdentry = BPF_CORE_READ((struct mount *)mnt, mnt_mountpoint);
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 371: (79) r9 = *(u64 *)(r10 -24)
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; mnt = container_of(vfsmount, struct mount, mnt);
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 372: (7b) *(u64 *)(r10 -72) = r8
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: sysmon.service: Control process exited, code=exited status=12
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: sysmon.service: Failed with result 'exit-code'.
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: Failed to start Sysmon event logger.

Before it was working fine for our project Attack Range:
https://github.com/splunk/attack_range

The installation is automated through Ansible and the server is AWS EC2 ubuntu 18.04 amd64:
https://github.com/splunk/attack_range/blob/develop/packer/ansible/roles/sysmon_linux/tasks/install_sysmon_linux.yml

Thank you for your help.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions