Microsoft has ported the Sysmon activity monitoring service to the Linux platform . To monitor the work of Linux, the eBPF subsystem is used, which allows you to run handlers that work at the kernel level of the operating system. The SysinternalsEBPF library is being developed separately , which includes functions useful for creating BPF handlers for monitoring system events. The toolkit code is open under the MIT license, and the BPF programs are under the GPLv2 license. The packages.microsoft.com repository contains ready-made RPM and DEB packages suitable for popular Linux distributions.
Sysmon allows you to keep a log with detailed information about the creation and termination of processes, network connections and file manipulations. The log stores not only general information, but also information useful for parsing security-related incidents, such as the name of the parent process, hashes from the contents of executable files, information about dynamic libraries, information about the time of creation / access / modification / deletion of files, data about direct access of processes to block devices. To limit the amount of recorded data, the ability to customize filters is provided. The log can be saved through the regular Syslog.