Overview
System Monitor (Sysmon) is one of the most commonly used Windows add-ons for logging. Sysmon is part of the Sysinternals software package owned by Microsoft, and it enriches the standard Windows logs by producing some higher-level monitoring of events such as process creations, network connections, and changes to the file system. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic, as well as create detections based on the malicious activity.
Sysmon is supported on Windows versions:
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012R2
- Windows Server 2012
Reference: Additional information about usage and examples of each event type that Sysmon generates are located on Microsoft's Sysmon download page.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- In the Overview section, next to Host Details, copy the IP address.
Using Poshim for automated Windows setup
To complete this integration, we recommend using Blumira’s Poshim (PowerShell Shim) script, which is designed to ensure that you are collecting the right data from hosts across your entire environment. Poshim handles the installation and configuration for NXLog and Sysmon to ship logs over Sysmon to a targeted IP.
Reference: See Automating Windows log collection with Poshim for instructions.
If you choose to use Poshim for this integration, nothing further is needed on this page. For manual configuration, continue reading below.
Installing Sysmon manually
To manually install Sysmon, follow the instructions below.
- Download Sysmon (or the entire Sysinternals suite).
- Download your chosen configuration (we recommend Sysmon Modular).
- Save as config.xml in c:\windows, or run the PowerShell command:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile C:\Windows\config.xml
- Install by opening up a command prompt as administrator and typing
Note: Sysmon.exe is for 32-bit systems only, and Sysmon64.exe is for 64-bit systems only.sysmon64.exe –accepteula –i c:\windows\config.xml
Sending Sysmon events to Blumira using NXLog
After Sysmon is manually installed, you must add the Sysmon event channel to your NXLog configuration in order to start sending logs to Blumira’s platform for detection and response.
Note: If you chose to use Poshim, this is automatically handled by the shim at the same time as the Sysmon installation.
You can use our latest version of Flowmira, or add the Sysmon route to your existing configuration. The latest version of Flowmira is located here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf
Additional Reference
- See our blog post to learn about Detecting Common Threats Using Sysmon with Blumira.
- Review additional Sysmon Commands for troubleshooting.