Sysmon Installation

What is Sysmon?

  • Sysmon (System Monitor) is a Windows system service that logs system activities like process creation, network connections, and file changes. It provides detailed event logs that help detect malicious activity and security threats.

Why Use Sysmon?

  • Advanced Logging – Records system activities beyond standard Windows logs.

  • Security Monitoring – Detects malware, suspicious scripts, and unauthorized access.

  • Forensic Analysis – Helps in investigating security incidents.

  • Lightweight & Free – Runs efficiently without slowing down the system.

Install Sysmon

Step 1: Download Sysmon

  1. Open a web browser and visit the Sysmon download page.

  2. Click Download Sysmon.

  3. If using Linux, download it from the official GitHub repository.

Step 2: Download the Configuration File

  1. Go to the sysmon-config.xml GitHub page.

  2. Click Raw, then right-click and choose Save As, name it whatever you want.

  3. You can save it as sysmonconfig.

Step 3: Extract Sysmon

  1. Right-click the downloaded Sysmon ZIP file.

  2. Select Extract All and choose a location.

Step 4: Open PowerShell as Administrator

  1. Click the Windows Start Button.

  2. Type PowerShell, then right-click and select Run as Administrator.

  3. Click Yes to allow changes.

Step 5: Navigate to the Sysmon Directory

  1. In PowerShell, use the cd command to change to the extracted Sysmon folder:

    cd "C:\Users\YourUser\Downloads\Sysmon"

Step 6: Move the Configuration File

Ensure sysmonconfig is inside the same directory as Sysmon64.exe.

Step 7: Install Sysmon with the Configuration

Run the following command in PowerShell:

.\Sysmon64.exe -i sysmonconfig.xml

Accept the license agreement when prompted.

Step 8: Verify Sysmon Installation

1. Check Running Services

  • Open Run (Win + R), type services.msc, and press Enter.

  • Look for Sysmon in the list.

2. Check Event Logs

  • Open Run (Win + R), type eventvwr.msc, and press Enter.

  • Go to:

    Applications and Service Logs > Microsoft > Windows > Sysmon > Operational

  • If logs appear, Sysmon is working.

3. Check via Command Line

Run this in PowerShell (Admin): 

Get-Service Sysmon64

PreviousAutomation Lab - Home ProjectNextWazuh & TheHive: Installation, Configuration, and Optimization

Last updated