Share via

Enable and configure Sysmon in Windows

This article describes how to enable and configure Sysmon to collect detailed security telemetry on Windows systems. It covers installation options, service behavior, and configuration requirements needed to begin capturing high-fidelity event data for security monitoring and forensics.

Sysmon is disabled by default. You must explicitly install and configure it to produce events. Effective deployment requires selecting an appropriate configuration, understanding include and exclude filtering behavior, and ensuring the service is protected and reliably logs data for downstream analysis.

What Sysmon does and doesn't do

  • Sysmon records system activity and writes events to the Windows Event Log.

  • Sysmon doesn't analyze events or generate alerts.

  • Sysmon doesn't block or prevent activity.

To analyze Sysmon events, forward them to Windows Event Collection or a Security Information and Event Management(SIEM) solution e.g Splunk

Prerequisites

Before enabling built-in Sysmon, ensure that:

  • A device running a supported version Windows 11 or later.

  • You have administrator privileges or equivalent on the device.

  • Standalone Sysmon isn't installed. Built-in Sysmon doesn't support coexistence with standalone Sysmon.

Check for existing installs

Built-in Sysmon is designed to operate as a native Windows capability and doesn't support coexistence with standalone Sysmon.

To verify Sysmon isn't already running, follow the steps.

  1. Open a PowerShell window as an administrator.

  2. Check for the Sysmon service using the following command.

    Get-Service sysmon*

  3. Review the output, you shouldn't return any results. If you do, make sure to uninstall the standalone Sysmon before continuing.

Enable built-in Sysmon

Built-in Sysmon is disabled by default and must be explicitly enabled. To enable Sysmon, follow the steps.

  1. To install the Sysmon optional feature, run the following command.

    Enable-WindowsOptionalFeature -Online -FeatureName Sysmon

  2. To install Sysmon using the default configuration, run the following command.

    sysmon –i

Provide a Sysmon configuration

Sysmon uses a configuration file to determine which events are logged and which events are filtered out.

The configuration file is written in XML and defines rules for logging specific Sysmon events. Some example event types are; Process Create, Network Connect, and File Create. For more information about how configuration files work, see Understanding Sysmon configuration files.

  1. Create or obtain a Sysmon configuration file. The configuration typically includes:

    1. Enabled event types

    2. Include and exclude filtering rules

    3. Hash algorithms and metadata options

  2. Examples configs and guides available:

    1. Sysmon-config – Default high-quality Sysmon event configuration maintained by SwiftOnSecurity:

      https://github.com/SwiftOnSecurity/sysmon-config

    2. Sysmon-modular – Modular Sysmon configuration with MITRE ATT&CK coverage maintained by Olaf Hartong

      https://github.com/olafhartong/sysmon-modular

    3. SysmonCommunityGuide – Guide, technical details, and examples for Sysmon maintained by Carlos Perez

      https://github.com/trustedsec/SysmonCommunityGuide

    4. Sysmon configuration deep dive

The configuration files typically include:

  • Enabled event types

  • Include and exclude filtering rules

  • Hash algorithms and metadata options

You can find examples configuration files and guides available in the following resources:

  1. Place the configuration file in any directory of your choosing, e.g:

    C:\Sysmon\sysmonconfig.xml

  2. Open a PowerShell window as an administrator

  3. Change directory to the directory where you placed your configuration file using the cd command. For example, cd c:\Sysmon

  4. To apply your configuration file perform one of the following:

    1. Configure Sysmon with the configuration file using the following command. Make sure you replace C:\Sysmon\sysmonconfig.xml with the path to your configuration file.
    sysmon – c C:\Sysmon\sysmonconfig.xml

    Or

    1. If you've not installed Sysmon yet you can install Sysmon with the configuration file using the following command. Make sure you replace C:\Sysmon\sysmonconfig.xml with the path to your configuration file.

      sysmon -i C:\Sysmon\sysmonconfig.xml 

    Once applied, the configuration takes effect immediately. No restart is required.

Important

A restrictive or unoptimized configuration may generate high event volume. Review and test configurations before broad deployment.

Example configuration

The following example shows a minimal Sysmon configuration that enables common event types: 


<Sysmon schemaversion="4.90"> 
   <HashAlgorithms>SHA256</HashAlgorithms> 
   
   <EventFiltering>   
     <ProcessCreate onmatch="exclude" />
     <NetworkConnect onmatch="exclude" />
     <FileCreate onmatch="exclude" />
   </EventFiltering> 
</Sysmon>   

This example enables basic visibility and can be expanded with include and exclude rules to reduce noise. 

Tip

Process create on match -exclude with no sub parameters includes all process creation events

Verify that Sysmon is enabled and configured

After enabling and configuring built-in Sysmon, verify that it is functioning correctly using the following steps.

  1. Select the Start button, type Event viewer, and open Event viewer from the best match list.

  2. In Event Viewer, go to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.

  3. Confirm that Sysmon events are present, such as Process Create, Network Connect, File Create. If events appear, built-in Sysmon is enabled and using the active configuration.

Updating the Sysmon configuration

To update the Sysmon configuration, follow these steps.

  1. Modify the Sysmon configuration file using the guidance in Understanding sysmon configuration files.

  2. Apply the updated configuration using the following command. Remember to replace C:\Sysmon\sysmonconfig.xml with the path to your configuration file.

sysmon -c C:\Sysmon\sysmonconfig.xml

Configuration updates are applied dynamically and don't require a system restart.

Next steps

  • Tune Sysmon filters to balance visibility and event volume.

  • Forward Sysmon events to a centralized log collection or SIEM.

  • View this how to on reading/forwarding and tuning Sysmon post config.

  • Last updated on