System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. Sysmon is part of the Sysinternals software package owned by Microsoft, and it enriches the standard Windows logs by producing some higher-level monitoring of events such as process creations, network connections, and changes to the file system. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.
Sysmon is supported on Windows versions:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Reference: Additional information about usage and examples of each event type that Sysmon generates are located on Microsoft's Sysmon download page.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Installing a Blumira sensor with Ubuntu before you continue.
Obtain the IP address of your Blumira sensor to use when configuring the external service.
To gather the IP address of the sensor:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Using Poshim for automated Windows setup
To complete this integration, we recommend using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Automating Windows log collection with Poshim for instructions.
If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.
Installing Sysmon manually
To manually install Sysmon, follow the instructions below.
- Download Sysmon (or the entire Sysinternals suite).
- Download your chosen configuration (we recommend Sysmon Modular).
- Save as config.xml in c:\windows, or run the PowerShell command:
- Install by opening up a command prompt as administrator and typing
sysmon64.exe –accepteula –i c:\windows\config.xml
Note: Sysmon.exe is for 32-bit systems only, and Sysmon64.exe is for 64-bit systems only.
Sending Sysmon events to Blumira using NXLog
After Sysmon is manually installed, you must add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response.
Note: If you chose to use Poshim, this is automatically handled by the shim at the same time as the Sysmon installation.
You can use our latest version of Flowmira, or add the Sysmon route to your existing configuration. The latest version of Flowmira is located here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf