Microsoft has ported the Sysmon activity monitoring service to the Linux platform. To monitor the work of Linux, the eBPF subsystem is used, which allows you to run handlers that work at the kernel level of the operating system. The SysinternalsEBPF library is being developed separately, which includes functions useful for creating BPF handlers for monitoring system events. The toolkit code is open under the MIT license, and the BPF programs are under the GPLv2 license. The packages.microsoft.com repository contains ready-made RPM and DEB packages suitable for popular Linux distributions. Learn more about this open-source move for Sysmon here.