This guide will walk you through the process of installing Sysmon (System Monitor) on your Windows machine(s) using the SwiftOnSecurity configuration.
- Administrative access to the Windows machine
- Internet connection to download necessary files
- Visit the official Microsoft Sysinternals Sysmon page: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- Click on the "Download Sysmon" link to download the ZIP file
- Extract the contents of the ZIP file to a folder on your computer (e.g.,
C:\Sysmon)
- Open a web browser and go to: https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
- Click the button to download raw content
- Save the file into the Sysmon directory
- Open an elevated Command Prompt (Run as Administrator)
- Navigate to the folder where you extracted Sysmon:
cd C:\Sysmon - Run the following command to install Sysmon with the SwiftOnSecurity configuration:
sysmon.exe -accepteula -i sysmonconfig-export.xml
- Open Event Viewer (you can search for it in the Start menu)
- Navigate to "Applications and Services Logs" > "Microsoft" > "Windows" > "Sysmon" > "Operational"
- You should see events being logged by Sysmon
To update the Sysmon configuration in the future:
- Download the latest
sysmonconfig-export.xmlfrom the SwiftOnSecurity GitHub repository - Open an elevated Command Prompt
- Navigate to the Sysmon folder
- Run the following command:
sysmon.exe -c sysmonconfig-export.xml
If you need to uninstall Sysmon:
- Open an elevated Command Prompt
- Navigate to the Sysmon folder
- Run the following command:
sysmon.exe -u
- You can now enable sysmon log collection from the Windows elastic agent integration
- Use a shared folder, SCCM, GPO's, or other tools to install on large quantities of machines