microsoft · scudette · Dec 5, 2021
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -106,6 +106,8 @@ add_executable(sysmon
                linuxWideChar.c
                linuxHelpers.cpp
                networkTracker.cpp
+               frozen.c
+               frozen.h
                outputxml.c
                installer.c
                "${SYSMON_COMMON_SOURCE_DIR}/usage.c"
@@ -318,6 +320,8 @@ add_executable(sysmonUnitTests
                linuxWideChar.c
                linuxHelpers.cpp
                outputxml.c
+               frozen.c
+               frozen.h
                hexdump.c
                "${SYSMON_COMMON_SOURCE_DIR}/parsecommandline.c"
                "${SYSMON_COMMON_SOURCE_DIR}/xml.cpp"
@@ -418,7 +422,7 @@ add_custom_command(OUTPUT sysmonmsgop.c
                    DEPENDS sysmonmsgop.man
                    )
 
-# 
+#
 # convert embedded files to objects for linking with the sysmon binary
 #
 add_custom_command(OUTPUT manifest.xml.o
@@ -532,4 +536,3 @@ foreach(EBPF_PROG IN LISTS EBPF_PROGS)
     # add ebpf programs to clean
     set_directory_properties(PROPERTIES ADDITIONAL_MAKE_CLEAN_FILES ${EBPF_PROG}.o)
 endforeach(EBPF_PROG)
-
diff --git a/README.md b/README.md
@@ -1,5 +1,25 @@
 # Sysmon For Linux install and build instructions
 
+## Local modifications
+
+1. New command line option "-socket /var/run/sysmon.socket" will
+   stream events into the socket instead of writing to syslog. This is
+   more efficient as it allows an external log forwarder to connect to
+   the socket and saves writing the events to disk (and filling it
+   up). If no listener is currently connected, the events will be
+   dropped.
+
+2. A new command like option "-json" allows events to be written in
+   JSON since this is the 21st century and XML is so quaint.
+
+The updated service file contains both these options. Once the service
+is installed simply read from the unix domain socket and events will
+be sent in JSONL format, eg:
+
+```
+socat - UNIX-CONNECT:/var/run/sysmon.sock
+```
+
 ## Installation
 The packages are available in the official Microsoft Linux repositories and instructions on how to install the packages for the different Linux distributions can be found in the [Installation instructions](INSTALL.md).
 
@@ -126,4 +146,3 @@ See DEVELOP.md
 Sysmon For Linux is licensed under MIT, with the eBPF programs licensed under
 GPL2.  SysinternalsEBPF (on which Sysmon For Linux depends) is licensed under
 LGPL2.1, with the eBPF code library licensed under GPL2.
-
diff --git a/extractMsgOp.sh b/extractMsgOp.sh
@@ -31,6 +31,7 @@ if [[ "$1" == "HEADER" ]]; then
     echo "#pragma once"
     echo ""
     echo "extern const GUID SYSMON_PROVIDER;"
+    echo "extern const char* SYSMON_PROVIDER_GUID;"
     echo "#define SYSMON_CHANNEL 0x10"
     echo ""
     grep '<task name' $SYSMONMSGOP | sed -e 's/^.*symbol="\([^"]*\)".*\(..\)}".*$/#define \1 0x\2/'
@@ -66,4 +67,3 @@ else
     grep '<event symbol=' $SYSMONMSGOP | grep "win:Error" | sed -e 's/^.*symbol="\([^"]*\)".*value="\([^"]*\).*version="\([^"]*\)".*$/const EVENT_DESCRIPTOR \1 = {\2, \3, 0x10, 0x2, 0x0, \2, 0x8000000000000000};/'
     grep '<event symbol=' $SYSMONMSGOP | grep "win:Informational" | sed -e 's/^.*symbol="\([^"]*\)".*value="\([^"]*\).*version="\([^"]*\)".*$/const EVENT_DESCRIPTOR \1 = {\2, \3, 0x10, 0x4, 0x0, \2, 0x8000000000000000};/'
 fi
-