fbpx
Back Arrow Back to All Integrations

System Monitor (Sysmon)

System Monitor (Sysmon)

Enable Sysmon for Windows Logging

Click here for the most updated version of this documentation.

 

System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.

Support On Windows versions:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012

Recommended: Automated Windows Setup

We recommend using Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.

Reference: See Poshim – Automated Windows log collection agent for instructions.

Note: This recommended setup using Poshim requires Windows Server 2012 R2 and above.

If using Poshim, nothing further is needed on this page. For manual config, continue reading below.

 

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Free Trial

What is System Monitor (Sysmon)?

Sysmon is part of the Sysinternals software package, now owned by Microsoft, and it enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections, and changes to the file system.

Installing Sysmon

  1. You can run a Poshim script to automatically install Sysmon, or you can install it manually:
    • To automatically install Sysmon using a Poshim script, follow these instructions.
    • To manually install Sysmon, follow the instructions below.
      1. Download Sysmon (or entire Sysinternals suite)
      2. Download your chosen configuration (we recommend Sysmon Modular)
      3. Save as config.xml in c:\windows, or run the PowerShell command: Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xml
      4. Install by opening up a command prompt as administrator and typing sysmon64.exe –accepteula –i c:\windows\config.xml
        • Sysmon.exe is for 32-bit systems only
        • Sysmon64.exe is for 64-bit systems only

Additional Links

See our blog post to learn more about Sysmon w/ Blumira

Additional Sysmon Commands for troubleshooting