Click here for the most updated version of this documentation.
System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.
Support On Windows versions:
We recommend using Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Poshim – Automated Windows log collection agent for instructions.
Note: This recommended setup using Poshim requires Windows Server 2012 R2 and above.
If using Poshim, nothing further is needed on this page. For manual config, continue reading below.
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.
Sysmon is part of the Sysinternals software package, now owned by Microsoft, and it enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections, and changes to the file system.
sysmon64.exe –accepteula –i c:\windows\config.xml
See our blog post to learn more about Sysmon w/ Blumira
Additional Sysmon Commands for troubleshooting