Adding Sysmon Application
Sysmon (System Monitor), when installed on a system, audits the activities of the system, which include registry activities, file activities, process activities, network driver activities and more.
Devices that have Sysmon installed in them can be added as Sysmon Application to categorize the events into different reports.
Procedure to add a device as Sysmon Application is given below.
Note: Ensure Log360 Cloud agent is installed on at least one Windows device in your network. To configure the agent, follow the steps provided
here.
- Log into your Log360 Cloud dashboard.
- Navigate to Settings -> Configuration Settings -> Log source configuration -> Applications tab.
- From the right pane, click on the General Applications tab to view the list of applications being monitored.
- To add a new application, click on Add General Applications.
- Select Sysmon Application from the Application Type drop down box.
- Expand the list by clicking the "+" icon to add a new device.
- Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.
- To add new devices manually, click on Configure Manually and enter Log Source.
- If the device type is syslog, check the Add as Syslog device box. If the device type is Windows, enter Username > Password > Verify Credentials.
- Select an agent from the drop-down list and click Select.
- Click Add, and the application will now be added for monitoring.
In Search
Navigate to Search. You can search for Sysmon logs by clicking the drop down box and scrolling down. You will find a specific logtype categorization for Sysmon Application.
To gain more insights from Sysmon Application logs, you can extract or create custom/new fields from the logs. Click here to know more.
EventLog configurations for logging
Please note that these configurations will be added automatically when the device gets added as a Sysmon Application, provided the credentials have the privilege to access the registry and add the key. If not configured automatically, this key has to be added and enabled for logging to take place.
Steps to add the key to the registry
- Using the Command Line window, open the registry editor regedit of the sysmon machine.
- Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
- To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-Sysmon/Operational.