Sysmon#
Integration Details |
|
Ingester |
|
Kit |
Sysmon Configuration#
The Sysmon utility, part of the sysinternals suite, is an effective and popular tool for monitoring Windows systems. There are plenty of resources with examples of good sysmon configuration files. At Gravwell, we like to use the modular sysmon config on github from olafhartong.
Download the default sysmon configuration file
Install sysmon with your configuration using an administrator shell (Powershell works too) by running the following command:
sysmon.exe -accepteula -i sysmonconfig-export.xml
Restart the Gravwell service via standard windows service management.
Gravwell Configuration#
Gravwell Storage Well Configuration#
Setup the well configuration in your Gravwell indexers.
Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/sysmon-well.conf
[Storage-Well "sysmon"]
Location=/opt/gravwell/storage/sysmon
Tags=sysmon*
Gravwell Ingester Configuration#
Sample Sysmon config:
Create or edit: %PROGRAMDATA%\gravwell\eventlog\config.cfg
[EventChannel "Sysmon"]
Tag-Name=sysmon
Provider=Microsoft-Windows-Sysmon #Only look for the provider
Channel=Microsoft-Windows-Sysmon/Operational