Installing Sysmon on Windows Machines

This guide will walk you through the process of installing Sysmon (System Monitor) on Windows machine(s) using the SwiftOnSecurity configuration for enhanced logging.

Prerequisites

  • Administrative access to the Windows machine

  • Internet connection to download necessary files

Steps to Install Sysmon

  • Download Sysmon

    • Reference the official Microsoft Sysinternals Sysmon page.

    • Click on the Download Sysmon link to download the ZIP file.

    • Extract the contents of the ZIP file to a folder on your computer (e.g., C:\Sysmon)

  • Download SwiftOnSecurity Configuration

    • Navigate to sysmom-config.

    • Click the Copy raw file button to download the raw content.

    • Save the file into the Sysmon directory.

  • Install Sysmon

    • Open an elevated command prompt with administrator privileges.

    • Navigate to the folder where you extracted Sysmon by running:

      cd C:\Sysmon
      
    • Run the following command to install Sysmon with the SwiftOnSecurity configuration:

      sysmon.exe -accepteula -i sysmonconfig-export.xml
      
  • Verify Installation

    • Open Event Viewer (you can search for it in the Start menu).

    • Navigate to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

    • Events being logged by Sysmon will be listed.

Steps to Update Sysmon Configuration

  • Download the latest sysmonconfig-export.xml from the SwiftOnSecurity GitHub repository.

  • Open an elevated command prompt with administrator privileges.

  • Navigate to the Sysmon folder.

  • Run the following command:

    sysmon.exe -c sysmonconfig-export.xml
    

Steps to Uninstall Sysmon

  • Open an elevated command prompt with administrator privileges.

  • Navigate to the *Sysmon folder.

  • Run the following command:

    sysmon.exe -u
    

Additional Notes

  • You can now enable Sysmon log collection using the Windows Elastic agent integration.

  • To install Sysmon on large quantities of machines, use a shared folder, or deployment tools such as System Center Configuration Manager (SCCM), Group Policy Objects (GPOs), or scripts.

Last modified July 3, 2025: Update troubleshooting.md (cddb826)