Lead Microsoft Engineer Kevin Sheldrake Brings Sysmon to Linux>

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Thanks to Kevin Sheldrake, co-author of Sysmon for Linux from Microsoft for working with us on this article.

Seven years after Microsoft Sysinternals released Sysmon – a system monitoring tool for Windows that reports key system activity via the event log – we were very proud to release the Linux version of the same tool at the Sysinternals @25 celebration event. (You can still catch up on the talks by clicking on the event link.)

Unlike the Linux versions of ProcDump and ProcMon, which were complete rewrites for the Linux platform, Sysmon For Linux is a direct port of the Windows code. This means that the Linux version uses the exact same configuration loader and event filtering engine that are familiar and comfortable to existing Sysmon users.

The key enabling technology that allowed Sysmon For Linux to come to life is eBPF. Originally standing for Enhanced Berkeley Packet Filter, eBPF is a way to run user-specified and user-controlled code inside the Linux

Read the article