Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
EventLog Analyzer

Real-time Log Analysis & Reporting
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Adding Sysmon Application

Sysmon (System Monitor), when installed on a system, audits the activities of the system, which include registry activities, file activities, process activities, network driver activities and more.

Devices that have Sysmon installed in them can be added as Sysmon Application to categorize the events into different reports.

Procedure to add a device as Sysmon Application is given below.

Log into your Log360 Cloud dashboard.
Navigate to Settings -> Configuration Settings -> Log source configuration -> Applications tab.
From the right pane, click on the General Applications tab to view the list of applications being monitored.
To add a new application, click on Add General Applications.

Select Sysmon Application from the Application Type drop down box.
Expand the list by clicking the "+" icon to add a new device.
Choose from the drop-down menu to add Configured devices, Workgroup devices, domain devices, etc.

To add new devices manually, click on Configure Manually and enter Log Source.

If the device type is syslog, check the Add as Syslog device box. If the device type is Windows, enter Username > Password > Verify Credentials.
Click on Select and Add to add the log source.
Use the Select Agent dropdown to select the device that is the agent to which the logs will be forwarded.
The applications will now be added for monitoring.

In Search

Navigate to Search. You can search for Sysmon logs by clicking the drop down box and scrolling down. You will find a specific logtype categorization for Sysmon Application.

To gain more insights from Sysmon Application logs, you can extract or create custom/new fields from the logs. Click here to know more.

EventLog configurations for logging

Please note that these configurations will be added automatically when the device gets added as a Sysmon Application, provided the credentials have the privilege to access the registry and add the key. If not configured automatically, this key has to be added and enabled for logging to take place.

Steps to add the key to the registry

Using the Command Line window, open the registry editor regedit of the sysmon machine.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-Sysmon/Operational.