Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Miscellaneous Utilities
  New Posts New Posts RSS Feed - Using sysmon config file
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Using sysmon config file

 Post Reply Post Reply
Author
Message
Palmer View Drop Down
Newbie
Newbie


Joined: 04 October 2017
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Palmer Quote  Post ReplyReply Direct Link To This Post Topic: Using sysmon config file
    Posted: 04 October 2017 at 4:57pm
I dumped the default sysmon config file and made two edits to it - disabling registry events -, saved it and tried to update with the new config:

sysmon -c name.xml

I get the error mesasage 'Failed to find Sysmon tag in configuration: name.xml'

What am I missing?

Thanks,

Palmer
Back to Top
hanscees View Drop Down
Newbie
Newbie


Joined: 04 November 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote hanscees Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2017 at 3:27pm
don't know what you are doing wrong exactly but you can find working examples on github:

https://github.com/ion-storm/sysmon-config

Back to Top
ragualkzo View Drop Down
Newbie
Newbie


Joined: 11 January 2018
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote ragualkzo Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2018 at 1:58am
I've tried installing sysmon 7.01 but won't do it because of error message asking for a schema version 4.0. Is there a template for the new schema version? The available sample configurations are schema 3.4 and below in version so they won't install.
Back to Top
gregfrompl View Drop Down
Newbie
Newbie


Joined: 18 January 2018
Location: Poland
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote gregfrompl Quote  Post ReplyReply Direct Link To This Post Posted: 18 January 2018 at 12:01pm
change the header in the config file to this one:

<Sysmon schemaversion="4.00">


To verify the schema you can always use sysmon -s where every field is provided with a data type (int, string etc.).

No big changes comparing it to Sysmon 6.2 however I see an issue with event7 (Image load). Sysmon cannot validate a signature of DLLs and binaries (the signature is invalid) which generates a lot of noise.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.