Adding Sysmon Application

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Sysmon (System Monitor), when installed on a system, audits the activities of the system, which include registry activities, file activities, process activities, network driver activities and more.

Devices that have Sysmon installed in them can be added as Sysmon Application to categorize the events into different reports.

Procedure to add a device as Sysmon Application is given below,

Navigate to Settings > Log Source Configuration > Applications. You can also click on the +Add button on the top right corner of the Home page and select Application.

Click on the General Application -> Add General Applications.

Choose Sysmon Application as Application Type

Expand the list by clicking the "+" icon to add a new device.

Choose from the drop-down menu to add Configured devices, WorkGroup devices, domain devices, etc.

To add new devices manually, click on Configure Manually and enter Log Source.

If the device type is syslog, check the Add as Syslog device box. If the device type is Windows, enter Username > Password > Verify Credentials.

Click on Select and Add to add the log source.

In Search

Navigate to Search. You can search for Syslog Application logs by clicking the drop down box and scrolling down. You will find a specific logtype categorization for Sysmon Application.

To gain more insights from Sysmon Application logs, you can extract or create custom/new fields from the logs. Click here to know more.

EventLog configurations for logging

Please note that these configurations will be added automatically when the device gets added as a Sysmon Application, provided the credentials have the privilege to access the registry and add the key. If not configured automatically, this key has to be added and enabled for logging to take place.

Steps to add the key in the registry

Using the Command Line window, open the registry editor 'regedit' of the print server machine.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-Sysmon/Operational.