I am using Sysmon to collect logs on windows and I have got to know from TrustedSec Github page that Sysmon uses Event Tracing for Windows(ETW) to collect it's logs. Now I am trying to figure out the if Sysmon can capture more logs compared to Windows Event Viewer. For that I'm confused from where Windows Event Viewer collects logs. Is it Event Tracing for Windows(ETW) itself?
7
-
ETW is a generic mechanism for tracing/logging. Sysmon implements a provider (in the driver) for writing events and a consumer (in the process) for reading events. Event Viewer can only show events for providers that register their schemas with the system. Windows implements many providers that do this, while Sysmon is using ETW just as a message transport.Luke– Luke2023-03-26 09:43:16 +00:00Commented Mar 26, 2023 at 9:43
-
@Luke Do u have any resource I can refer to?explorer– explorer2023-03-26 10:41:58 +00:00Commented Mar 26, 2023 at 10:41
-
learn.microsoft.com/en-us/windows/win32/etw/about-event-tracingLuke– Luke2023-03-26 10:55:33 +00:00Commented Mar 26, 2023 at 10:55
-
@Luke So can Sysmon capture more logs compared to Event viewer?explorer– explorer2023-03-27 05:38:20 +00:00Commented Mar 27, 2023 at 5:38
-
Turns out I was wrong about sysmon. I assumed it was similar to procmon but it's not. It is purely an event provider and installs its event manifest so event viewer can display its events. Regardless, that's a bit of a nonsensical question. Event viewer just displays event data; it's the providers that generate the data. Sysmon generates its own custom events; event viewer can display them as well as events from any other installed provider.Luke– Luke2023-03-27 06:57:12 +00:00Commented Mar 27, 2023 at 6:57
|
Show 2 more comments