Support for Alternative Log Format such as JSON

[SMAPPER]

Is it possible for this project to get JSON support? Windows Sysmon with XML is auto-handled by most log agents to abstract the XML parsing away. However, Linux log agents do not account for this. While I don't think it's a huge deal I believe it would help the community more readily consume these logs if they supported other log formats outside of XML.

Examples:

• JSON
• key-value pairs (base pairs or a standard like LEF, LEEF, or CEF)

Regardless, in its current format, Sysmon for Linux is a huge blessing to the community regardless of the above. I'm just submitting this as a possible feature request.

[tbennett6421]

I'd be interested in json as well. I'd love to see it put on the roadmap

[avwsolutions]

Would indeed be great to have JSON output, since this integrates far easier with OSS tools like Fluentd, fluentbit or Elastic Filebeat / Logstash.

[kesheldr]

Thanks for the suggestion - others have suggested similar. I will raise it and see what interest there is internally.

[ssi0202]

@SMAPPER i totally agree with your request here, from reading your input i get the idea that you may have a filebeat/vector.dev config that solves this with parsing perhaps already?

in my search for solving this i found this forum post on the filebeat forums that suggest one could use this filebeat processor but im a bit stomped as to what this will have to be implemented to not interfier with the rest of the json based logdata also being shipped from the syslog file. From what i can tell its all json exept the sysmon events that for the lack of a better word is a xml blob in the otherwise json formatted data is this correct?

looks like the "decode_xml_wineventlog" processer can be leveraged here, but i have not yet been able to build a working config around this.

elastic/integrations#1930

[ssi0202]

@MarioHewardt giving this a bump based of the convo on twitter :)

twitter convo with @markrussinovich and @MarioHewardt

i would also suggest that we make an extra logfile so all the very nice sysmon log data is dumped into the syslog file itself.

[JustinHendersonSMAPPER]

Do you know if this feature could be considered? While I know it's possible to convert after the fact with other tools, it's less than ideal. The tool ideally would provide flexibility for easier integration within the community. JSON seems like a natural output format that many tools work with.

Regardless, I appreciate your efforts for this as Sysmon is great.

[MarioHewardt]

This is a super interesting item that is on my backlog to investigate. At the moment, my plan for the short term is to address some of the more critical functional issues/bugs reported before I switch over to new features/capabilities.

[MarioHewardt]

If someone has already solved this via other conversion tools I'd be super interested in learning more about it.

[weslambert]

Hi Mario,

I've been wanting something like this for a while.

Alternative ways of accomplishing the conversion would be using something like Filebeat's decode_xml_wineventlog processor, or Logstash's XML filter plugin, either through picking up events directly, or forwarding events via syslog.

@scudette submitted a pull request for this type of output, as well as socket output, a while back:

#50

As always, thanks for all of your work with Sysmon for Linux!

Thanks,
Wes

[MarioHewardt]

Thanks Wes. I've seen that PR but haven't had a chance to look through it yet due to other priorities.

[norandom]

Really interested in this.