System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.
Support On Windows versions:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Recommended: Automated Windows Setup
We recommend using Blumira’s automated Windows log setup agent, Poshim (PowerShell Shim), designed to help ensure you’re collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Poshim - Automated Windows log collection agent for instructions.
Note: This recommended setup using Poshim requires Windows Server 2012 R2 and above.
If using Poshim, nothing further is needed on this page. For manual config, continue reading below.
What is System Monitor (Sysmon)?
Sysmon is part of the Sysinternals software package, now owned by Microsoft, and it enriches the standard Windows logs by producing some higher level monitoring of events such as process creations, network connections, and changes to the file system.
- You can run a Poshim script to automatically install Sysmon, or you can install it manually:
- To automatically install Sysmon using a Poshim script, follow these instructions.
- To manually install Sysmon, follow the instructions below.
- Download Sysmon (or entire Sysinternals suite)
- Download your chosen configuration (we recommend Sysmon Modular)
- Save as config.xml in c:\windows, or run the PowerShell command:
- Install by opening up a command prompt as administrator and typing
sysmon64.exe –accepteula –i c:\windows\config.xml
- Sysmon.exe is for 32-bit systems only
- Sysmon64.exe is for 64-bit systems only
See our blog post to learn more about Sysmon w/ Blumira
Additional Sysmon Commands for troubleshooting