Table of Contents |
---|
...
- Download both Sysmon and the Sysmon configuration. The configuration is a locally hosted xml file.
- Extract Sysmon to a directory and place the configuration.xml in the same directory.
- Open Windows command prompt in 'Run as Administrator' mode and navigate to the sysmon directory.
- Use the following command to install and enable the sysmon service. - .\Sysmon.exe -i .\config_v14.xml -accepteula
Wait for Install to finish.
...
Code Block | ||||
---|---|---|---|---|
| ||||
## This is a sample configuration file. See the nxlog reference manual about the ## configuration options. It should be installed locally and is also available ## online at http://nxlog.org/docs/ ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _json> Module xm_json </Extension> <Input in> Module im_msvistalog Query <QueryList>\ <Query Id="0">\ <Select Path="Security">* </Select>\ <Select Path="Application">* </Select>\ <Select Path="Setup">* </Select>\ <Select Path="System">* </Select>\ <Select Path="Microsoft-Windows-Sysmon/Operational">* </Select>\ </Query>\ </QueryList> </Input> <Output out> Module om_udp Host {CCE IP Address} Port 5154 Exec to_json(); </Output> <Route 1> Path in => out </Route> |
...
Verification of Configuration
Verification can be done either from CCE Server or from UI.
...