Setting up Windows Event Forwarder Server (WEF) (Domain) – Sysmon Part 2/3

This is part 2 in which we will be setting up Sysmon in our WEF server. As you saw in the previous article, there is no option for Sysmon subscription under event viewer. Let’s resolve that.

Step 1: Setup Sysmon
Download Sysmon from here: https://technet.microsoft.com/en-us/sysinternals/sysmon

1. Extract to a local destination
2.Launch a command prompt with elevated privileges(right click-run as Administrator)
3.Run the following command: Sysmon.exe -I -h sha256 -n /accepteula
4.You should then see a message similar to the screenshot below, and eventually see the service Sysmon getting started.

5. Verify that sysmon is running by going to windows services. 

6. Reboot your system.

7. Now go back and create a new subscription for Sysmon

Done!

Let’s continue on creating a GPO to finally collect endpoint logs in Part 3/3

 

2 thoughts on “Setting up Windows Event Forwarder Server (WEF) (Domain) – Sysmon Part 2/3

  1. Thanks a million for your guide. Its great! I have everything up and running but I’m not sure its 100% right. Can you be a little more specific on how you created the sysmon subscription? As far as my understanding goes, we’ve only installed sysmon on the event log collector. So am I supposed to subscribe to myself? What would the benefits of installing sysmon on all other domain computers be?

    1. The reason why we installed Sysmon on the collector server is so you can create a subscription for all the rest of your domain computers. The benefit of installing sysmon on your domain endpoints is that it provides you with useful information about what is running on each computer. For example, what processes are being launched, what registry changes are being made, what outbound connections is it making, what new files are being created in your system (along with their hash value). This is useful information in case your system gets malware, so you may see how the computer was infected. To look for unknown processes that are running and that are making outbound calls to Command & Control (C2C) servers. It offers a lot of value, for free!.

Leave a Reply