To send event logs to SysmonSearch environment, it is necessary to execute the following applications on Windows client:

• Sysmon
• Winlogbeat

Sysmon

Download and install Sysmon.

Sysmon does not record network communication and registry-related events by default. To record selected events, it is nesessary to add rule to a configuration file and import it.

Create a configuration file according to your environment or use an existing file tuned by volunteers(sysmon-config by SwiftOnSecurity) and apply it to Sysmon.

# Install Sysmon(64bit):
sysmon64.exe -i sysmon-config-export.xml

# If applying a configuration file to the installed Sysmon:
sysmon64.exe -c sysmon-config-export.xml

---

Winlogbeat

Download and unzip Winlogbeat.

If sending logs to SysmonSearch environment in real time:

Modify the following part of the configuration file (winlogbeat.yml):

winlogbeat.event_logs:
  - name: "Microsoft-Windows-Sysmon/Operational"
# It is necessary to delete the following default processors configuration:
#    processors:
#      - script:
#          lang: javascript
#          id: sysmon
#          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

...

# Configure ElasticSearch Server IP address
output.elasticsearch:
  hosts: ["Elasticserach server IP address:9200"]

If Winlogbeat needs to be a resident program, refer to Instruction by Elastic for installation.

The following command prompt can be executed instead:

.\winlogbeat.exe -e -c .\winlogbeat.yml

If sending the existing event log file:

Create a configuration file as follows:

winlogbeat.event_logs:
  - name: ${EVTX_FILE} 
    no_more_events: stop 

winlogbeat.shutdown_timeout: 30s 

output.elasticsearch.hosts: ['<Elasticsearch IP address>:9200']

Execute the Winlogbeat on the command prompt with the configuration file and the event log file :

.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\your_sysmon_log.evtx