Install & configure Sysmon for deep Windows event logging

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Let's start by installing Sysmon from the following link: Sysmon Download

We also need to download the Sysmon configuration file from the following URL: Sysmon Modular Configuration.

Next, let's extract the Sysmon compressed folder and place the Sysmon configuration file in the same directory as Sysmon.

Next, we need to open PowerShell with administrative privileges to configure Sysmon.

.\Sysmon64.exe -i .\sysmonconfig.xml

Let's verify whether Sysmon is installed on the system.

Get-Service Sysmon64

We can also verify this using the Event Viewer.

Applications and Services Logs -> Microsoft -> Windows -> Sysmon

PreviousBuild Home Lab - SOC Automation NextSet up Wazuh & TheHive for threat detection & case management

Last updated 11 months ago