Microsoft ported on the Linux platform of activity monitoring service in the sysmonforinux”> sysmon . To track the Linux operation, an EBPF subsystem is used to run handlers operating at the operating system kernel level. Separately develops the /sinternalsebpf”> , including functions useful for creating BPF handlers to monitor events in the system. Toolkit code is open under the MIT license, and the BPF program under the GPLv2 license. In the Packages.microsoft.com repository posted ready-made RPM and DEB packages, suitable for popular Linux distributions.
Sysmon allows you to conduct a log with detailed information about creating and completing processes, network connections and manipulations with files. Not only general information is saved in the log, but also information useful for the safety of incidents related to the safety of incidents, such as the name of the parent process, hashi from the content of executable files, information about dynamic libraries, information about the creation time / handling / change / deletion of files, data about Direct access processes to block devices. To limit the volume of recorded data, the possibility of configuring filters. Log can be saved through a regular syslog.