How do I limit the size of Sysmon folder content?

ADRookie 0

We have sysmon configured in our servers C:\Sysmon. There is no quota or limit on this folder set, so it keep inclreasing and we get the high disk volume alerts in odd hours, then we have to delete the files manually. Is there any option to capping the size of this folder?

3 answers

Azar 22,870 Reputation points MVP

2024-01-15T08:30:32.94+00:00
Hey ADRookie

To cap the size of your Sysmon folder and avoid those pesky disk volume alerts, you can use a combination of built-in Windows tools and a scheduled task.

Firstly create a PowerShell script (eg- CapSysmonSize.ps1)

$sysmonPath = "C:\Sysmon" $maxSizeGB = 10 # Set your desired maximum size in gigabytes $sysmonSizeGB = (Get-ChildItem -Path $sysmonPath -Recurse | Measure-Object -Property Length -Sum).Sum / 1GB if ($sysmonSizeGB -gt $maxSizeGB) { Get-ChildItem -Path $sysmonPath -Recurse | Sort-Object LastWriteTime | Select-Object -First 1 | Remove-Item -Force }

Then open Task Scheduler on your server and Create a new task, and in the Actions tab, set the action to "Start a program.

Point it to powershell.exe with arguments

-NoProfile -ExecutionPolicy Bypass -File "C:\Path\To\CapSysmonSize.ps1"

Finally Configure the trigger based on your desired schedule (e.g., daily, weekly).

This script checks the size of your Sysmon folder and, if it exceeds the specified limit, removes the oldest file until it's within the size limit. Adjust the script and scheduled task parameters based on your needs. If this helps kindly accept the answer thanks much.
Please sign in to rate this answer.
ADRookie 0 Reputation points

2024-01-15T09:41:13.8333333+00:00

Thank you for your valuable suggestion. But the problem with Sysmon folder is, it's not readable folder even by the administrator. Even takeown, icacl commands don't work. Only option to explore the folder is through PStools.

Dan M 0 Reputation points

2024-04-04T01:47:00.0633333+00:00

Access to the Sysmon folder was denied when running the script

ADRookie 0 Reputation points

2024-05-27T07:11:14.7966667+00:00

Hi Azar, thanks for the suggestion. It took sometime to test this.

I have created the ps1 file and gave the same argument as you have mentioned, also run as Sytem provided in task Scheduler. But it's not deleting the Sysmon Content, the only event I am getting is in Powershell Operational Events is Warning 4100.
Error Message = System error.

Context:

Severity = Warning Host Name = ConsoleHost Host Version = 5.1.17763.5820 Host ID = e590093a-764e-4b7d-b6bd-0bdb7806434e Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\myusername\Documents\LimitSysmon.ps1 Engine Version = 5.1.17763.5820 Runspace ID = 80d03f5c-361c-4b49-b235-b4860b9d4d41 Pipeline ID = 1 Command Name = Command Type = Script Name = Command Path = Sequence Number = 15 User = TEST\SYSTEM Connected User = Shell ID = Microsoft.PowerShell

User Data:
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ian Xue 37,706 Reputation points Microsoft Vendor

2024-01-16T05:41:20.2066667+00:00

Hi,

To limit the folder size, you can add the role File Server Resource Manager to your server and create a quota on the folder.

Please refer to this link for more details https://learn.microsoft.com/en-us/windows-server/storage/fsrm/quota-management

Best Regards,

Ian Xue

If the Answer is helpful, please click "Accept Answer" and upvote it.
Please sign in to rate this answer.
ADRookie 0 Reputation points

2024-02-12T06:17:42.4233333+00:00

I believe Quotas are for File Server folders. I was looking for Any Folder in Windows Server.

MotoX80 34,431 Reputation points

2024-02-13T23:11:48.12+00:00

Are you using Sysmon from the Sysinternals.com tools? How/what did you configure to point it to C:\Sysmon?

ADRookie 0 Reputation points

2024-05-27T07:08:29.7166667+00:00

@MotoX80 By default it was set to C:\Sysmon

MotoX80 34,431 Reputation points

2024-05-27T10:32:46.59+00:00

I don't see anything in the C:\Sysmon folder using version 15.14. That is the current version.

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

I do see it writing to its eventlog which is set to a maximum size.

Did you redirect the eventlog to that C:\Sysmon folder?

ADRookie 0 Reputation points

2024-05-27T12:25:55.5766667+00:00

@MotoX80 Nope, I have the same config as shown in the screenshot.

MotoX80 34,431 Reputation points

2024-05-27T16:09:48.2933333+00:00

I can't recreate your problem. There are no files in my Sysmon folder. This is on a Win10 Pro test VM.

What files do you see in the folder? What sizes? Timestamps? What OS are you running? What version of Sysmon are you running? Does this problem occur on every machine that you run Sysmon on? Did you install Sysmon with a custom config file?

Justin Herman 5 Reputation points

2024-07-24T19:19:55.4666667+00:00

MotoX80, no user can see what is in the C:\SYSMON folder until they take ownership of the folder. Since, NT Service\TrustedInstaller is the owner with SYSTEM as the only account with permissions, no other user can see the contents, file count, or folder size. You can use the takeown command or right-click the folder > Properties > Security tab > click Advanced. Click Change and make yourself the Owner. Then, add yourself to the Permissions if you need to clean it up. That is why cleaning this folder is such a pain without a script.

This folder can reach hundreds of GBs, I personally seen 50GB on servers I worked on with broken Windows Updates. After deleting dozens of standalone update files, the SYSMON folder got large very quickly. My current PC was rebuilt five months ago and my SYSMON folder is already at 4.5GB.

This site walks through and explains the process to building a script (https://blog.nviso.eu/2022/06/30/enforcing-a-sysmon-archive-quota/) . Review this as well (https://posts.specterops.io/working-with-sysmon-configurations-like-a-pro-through-better-tooling-be7ad7f99a47). Both of those links include other links to other good sites I have not yet reviewed, but come across as highly recommended.

Azar's example seems like it would work, as long as the Scheduled Task is set to run with SYSTEM privileges. No other account would work unless the user or group was added to the permissions, which creates a security risk.

Justin

MotoX80 34,431 Reputation points

2024-07-25T00:29:08.8533333+00:00

@ADRookie chose to stop replying to this question and ask a second one instead.

https://learn.microsoft.com/en-us/answers/questions/1820510/how-can-i-limit-or-delete-the-folder-content-of-sy

He has not replied to that one for a few days, so I don't know what he's doing.

ADRookie 0 Reputation points

2024-07-29T06:17:09.3833333+00:00

@MotoX80 Sorry, I was busy with other commitments. The only solution worked a bit was Azar's answer. Yet, even after I have scheduled the script with SYSTEM privilege, it doesn't delete all files, it only deletes files those are not owned by System. it keeps 10-12GB files intact always.

MotoX80 34,431 Reputation points

2024-07-29T11:51:19.73+00:00

I've been using many of the Sysinternals tools (since the NT 3.51 days!), but Sysmon is one that I never played with.

That's why I commented that I can't recreate your problem. I just ran "sysmon -i" and took all of the defaults. That indicates to me that you or someone in your organization defined some custom configuration.

It appears to me that you have 2 options.

Turn off the sysmon file capture

Implement a file purge process.

Let's start with #1.

Do you have a procedure in place (have you tested?) a method to do something with these files that sysmon is capturing? Would they be restored to their original location? Would you run some other analysis on them? Please excuse my sysmon inexperience in asking these questions.

If you have no way to use these files, then can't you just turn off file capture?

If the file capture is a byproduct of enabling the logging of a file delete event, then maybe you can review the sysmon eventlog and look at the file and process names and tweak the configuration to capture fewer files. Or turn on basic Windows file auditing instead.

https://github.com/trustedsec/SysmonCommunityGuide/tree/master

https://github.com/SwiftOnSecurity/sysmon-config

ADRookie 0 Reputation points

2024-07-29T12:22:56.06+00:00

Thanks for your response,
1st option is not applicable for me, as file capture is very much needed.
The captured files are used by the SOC team for monitoring and alert.
So, we can't just turn off the file capture or capture fewer files.

The only option left is purge the files once a limit is reached.

MotoX80 34,431 Reputation points

2024-07-29T13:42:17.7833333+00:00

I like a challenge. Let me see if I can write a Powershell script to purge those files.

Would a "purge files older than xxx days" work? If so, please look at the timestamps on these files and let me know which value to look at. I would think either CreationTime or LastWriteTime.

Open the Powershell prompt with "Run as administrator".

PS C:\Temp> get-item .\Addresses.xls | fl -Property * PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Temp\Addresses.xls PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Temp PSChildName : Addresses.xls PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem PSIsContainer : False Mode : -a---- VersionInfo : File: C:\Temp\Addresses.xls BaseName : Addresses Target : {} LinkType : Name : Addresses.xls Length : 8192 DirectoryName : C:\Temp Directory : C:\Temp IsReadOnly : False Exists : True FullName : C:\Temp\Addresses.xls Extension : .xls CreationTime : 5/8/2022 11:39:21 AM CreationTimeUtc : 5/8/2022 3:39:21 PM LastAccessTime : 3/3/2024 8:47:26 AM LastAccessTimeUtc : 3/3/2024 1:47:26 PM LastWriteTime : 5/8/2022 11:39:21 AM LastWriteTimeUtc : 5/8/2022 3:39:21 PM Attributes : Archive

Try this.

Save this as Purge.ps1 in some folder.

Modify the $keep variable to indicate how old a file is to be purged.

There are 2 statements that reference LastWriteTime. If that date doesn't apply, try using the CreationTime date.

The -WhatIf switch tells PS to report on the statement, but it does not delete the file. After you are happy with the file selection, i.e. it reports that it will keep the files that you want to keep, just remove the -WhatIf switches.

You will need to open Powershell with "Run as administrator".

Start-Transcript -Path C:\YourFavoriteLogFolder\SysmonPurge.log $keep = 7 # keep files that have been created in the last nnn days $files = Get-ChildItem -Path C:\sysmon -file "Starting file count is {0}" -f $files.count foreach ($f in $files) { if ($f.LastWriteTime -lt ((Get-Date).AddDays(-$keep))) { # or use CreationTime "{0} - {1}" -f $f.LastWriteTime, $F.fullname # or use CreationTime try { $f | remove-item -force -ErrorAction stop -whatif } catch { "Take ownership and try again." takeown.exe /f $f.fullname $f | remove-item -force -whatif } } else { "Keeping {0}" -f $f.fullname } } $files "Ending file count is {0}" Stop-Transcript

ADRookie 0 Reputation points

2024-07-30T07:42:18.9433333+00:00

Hi @MotoX80

I have tried this, but I get permission denied on Line 2.

As I said, even with Powershell Admin, it cannot query the folder due to permission.

MotoX80 34,431 Reputation points

2024-07-30T22:25:16.86+00:00

What permissions are set on C:\sysmon?

icacls c:\sysmon

Use psexec to run a process as the system account.

https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

psexec -s cmd

Then grant admins access. Does that work? What does it show?

icacls c:\sysmon /grant "BUILTIN\Administrators:(OI)(CI)(F)" icacls c:\sysmon

ADRookie 0 Reputation points

2024-07-31T05:43:13.79+00:00

@MotoX80 I alreacy checked with Takeown and Icacl commands, this Sysmon is designed not to be edited by those commands.
However, PSexec worked for sometime, initially but now it gives only this below error.

MotoX80 34,431 Reputation points

2024-07-31T17:25:39.55+00:00

I added a transcript to the PS code that I posted. Set it to point to your log folder.

Test it looking at the 3 timestamp variables, CreationTime, LastAccessTime, LastWriteTime and see which one makes sense.

Have the scheduled task that runs as the SYSTEM account execute it.

Then check the SysmonPurge.log file.

When it selects the correct files, remove the -WhatIf switches and let it delete the files.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Justin Herman 5 Reputation points

2024-07-30T16:35:06.15+00:00

@ADRookie I created a simple script and created it to run monthly using the SYSTEM account. This script will keep a years worth of deleted files. We agreed to that timeframe for investigative / historical purposes.

Get-ChildItem -Path C:\Sysmon -Recurse | Where-Object {$_.LastAccessTime -lt (Get-Date).AddDays(-365)} | Remove-Item -Force

You can delete the middle "Where-Object" portion to completely empty the folder. I suggest keeping some recent files in there and change the (-365) to (-30) to keep at least a months worth of files.

I also used the LastAccessTime in lieu of LastModifiedTime or any other date because that is the closest representation of the when the file was deleted and placed into the Sysmon folder. An old file modified years ago, but deleted yesterday would be removed as soon as the script runs if LastModifiedDate is used. It really depends on your intent and goal here.

Save the above script into a ps1 file, store locally on the system, create scheduled task using the SYSTEM account, and configure the rest however you wish. For Action, we use Run powershell.exe and Add arguments "-File C:\powershell\SysmonCleanup.ps1" (but can be any location you store the ps1).

I am working on a PowerShell script to create the scheduled task since we have over 1,000 Windows devices to run this on.

Justin
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How do I limit the size of Sysmon folder content?

3 answers

Your answer