Question 1

How to install Sysmon with sysmon-config?

Accepted Answer

Run 'sysmon.exe -accepteula -i sysmonconfig-export.xml' with administrator rights, as per the README's install instructions. This sets up Sysmon using the configuration file as a template for monitoring system changes.

Question 2

What does sysmon-config monitor compared to Windows logging?

Accepted Answer

sysmon-config focuses on system changes like process creation and file modifications, but it doesn't track authentication events. It's designed to complement native Windows logging, not replace it, as stated in the philosophy section.

Question 3

How to customize sysmon-config for antivirus exclusions?

Accepted Answer

You need to install and observe the logs in your environment, then edit the configuration to exclude antivirus actions. The file is highly commented to guide you through this process, as mentioned in the customization section.

Question 4

sysmon-config vs sysmon-modular: which should I use?

Accepted Answer

sysmon-config is a starting point with educational comments, ideal for learning and basic setups, while sysmon-modular is more exhaustive and detailed for advanced configurations. Choose based on your need for simplicity versus comprehensiveness.

Question 5

Can I use sysmon-config in production without changes?

Accepted Answer

No, it requires customization to fit your specific environment, such as excluding antivirus noise. The README advises testing and adaptation before wide deployment to avoid log clutter and performance issues.

Question 6

How to update an existing Sysmon configuration with sysmon-config?

Accepted Answer

Run 'sysmon.exe -c sysmonconfig-export.xml' with administrator rights to update the configuration. Always back up your current settings first to prevent loss of custom rules or data.

sysmon-config

What is sysmon-config?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions