Sysmon DNS query is not working

Will 20 Reputation points
2023-07-03T22:12:05.3266667+00:00

I am using Sysmon v15 with Windows 11 22H2.

After installation, I tried to ping a domain from the command prompt and also using the Edge browser. I was expecting to see Event ID 22 in my Microsoft-Windows-Sysmon/Operational log. I can see other events but no event 22 showing up.

When I run sysmon -c, i get the following output.

Current configuration:

- Service name: Sysmon64

- Driver name: SysmonDrv

- Config file: C:\Users\user1\Downloads\Sysmon64.exe -i

- HashingAlgorithms: SHA256

- Network connection: disabled

- Archive Directory: -

- Image loading: disabled

- CRL checking: enabled

- DNS lookup: enabled

Any ideas why my DNS lookup is not being logged by Sysmon?

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,189 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alex Mihaiuc 176 Reputation points Microsoft Employee
    2023-07-04T11:24:24.3466667+00:00

    It looks like you might have left the

        <EventFiltering>
            <DnsQuery onmatch="exclude" />
        </EventFiltering>
    

    part out of the config. The .\ sysmon64.exe -c output should contain

    ...
     - DNS lookup:                    enabled
    
    Rule configuration (version 4.90):
    ...
     - DnsQuery                           onmatch: exclude   combine rules using 'And'
    ...
    

    for that XML snippet from above.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. John Maclain Wright 0 Reputation points
    2023-07-12T07:18:58.97+00:00

    oh thats nice work, but how can it will solve I don't have any idea

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.