Table of contents
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Note: that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.
Fluency collects logs from Windows Servers via the NXLog log collection agent. For Windows systems with NXLog installed and configured, the Sysmon data can be uploaded as a part of the regular log collection. (See the Fluency NXLog Config Wizard plugin for more information on NXLog . Ensure that the Sysmon option is checked when generating the nxlog.conf file.)
Sysmon installation has two parts.
- The first portion is the creation/download of the Sysmon config file.
- The second portion is the driver installation via command line, with this Sysmon configuration file.
Download the installation package from the Microsoft Sysinternals website, or a copy from the Fluency instance:
Sysmon installation pkg:
The Recommended Sysmon configuation file can be downloaded from our AWS repository:
Download the two required items from your Fluency instance, or from the links above.
Unpack the Sysmon.zip file, and create/copy the installation package folder to the desired location:
sysmonconfig.xml file to the same directory:
From the Start Menu, search for and Run Command Prompt as Administrator:
Once in the Command Prompt, change the working path to the Sysmon installation folder:
cd "C:\Program Files\Sysmon"
Run the Sysmon executable. (Choose the one that matches the architecture of your system, likely Sysmon64.exe):
Sysmon64.exe -accepteula -i sysmonconfig.xml
Wait for the tool to complete the installation. Sysmon will start automatically:
Open the command prompt, navigate to the directory above
Run the following command:
C:\Program Files (x86)\nxlog\conf\nxlog.conf
Wait for the installation to complete.
Please ensure that a log collection agent, such as NXLog, is also installed on the system. Sysmon is a log generator, and by itself does not export logs.
Once the logs are collected, they should show up in Fluency as Windows AD events, under the Channel:
Sysmon can be removed with the following command, run from the Sysmon installation directory:
Sysmon64.exe -accepteula -u
Version: 2022 Apr 26