Thanks for reporting this, excellent write-up thanks to which I can see this behavior. The fix is incoming in the next publish!
SYSMON does not log any EventID=26
My config file is below.
I renamed sysmon.exe to sm-tomtest.exe
At the admin command prompt I run
sm-tomtest -accepteula -i config.xml
It responds as expected:
Loading configuration file with schema version 4.81
Configuration file validated.
sm-tomtest installed.
sm-drv-t installed.
Starting sm-drv-t.
sm-drv-t started.
Starting sm-tomtest..
sm-tomtest started.
I then copy/paste a small file in My Documents, and delete it.
Refresh the Sysmon > Operational event viewer, and no EventID=26 is recorded. Plenty of EventID=23 (mostly browser temp files). There is no EventID 23 for my test file either.
What am I doing wrong?
<Sysmon schemaversion="4.81">
<!-- Capture all hashes -->
<HashAlgorithms>*</HashAlgorithms>
<ArchiveDirectory>sm-delf-t</ArchiveDirectory><!-- Folder may be somewhat hidden -->
<EventFiltering>
<!-- Log all drivers except if the signature -->
<!-- contains Microsoft or Windows -->
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<!-- Do not log process termination -->
<ProcessTerminate onmatch="include"/>
<!-- Log network connection if the destination port equal 443 -->
<!-- or 80, and process isn't InternetExplorer -->
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<Image condition="end with">iexplore.exe</Image>
</NetworkConnect>
<!-- https://learn.microsoft.com/en-us/answers/questions/581099/sysmon-can-i-logging-deleted-all-file-through-sysm.html -->
<RuleGroup name="Evt_26_inc" groupRelation="or">
<FileDeleteDetected onmatch="include">
<TargetFilename condition="contains">\</TargetFilename>
</FileDeleteDetected>
</RuleGroup>
<!-- https://github.com/olafhartong/sysmon-modular/blob/master/23_file_delete/exclude_google_chrome.xml -->
<RuleGroup name="" groupRelation="or">
<FileDelete onmatch="exclude">
<Image condition="contains all">\appdata\local\google\chrome\user data\swreporter\;software_reporter_tool.exe</Image>
<Image condition="is">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Image>
</FileDelete>
</RuleGroup>
</EventFiltering>
<DriverName>sm-drv-t</DriverName>
</Sysmon>