IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Security Module Exported fields »
Elastic Docs Winlogbeat Reference [7.2] Modules

Sysmon Module

edit

Sysmon Module

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

The sysmon module processes event log records from the Sysinternals System Monitor (Sysmon) which is a Windows service and device driver that logs system activity to the event log. Sysmon is not bundled with Windows or Winlogbeat and must be installed independently.

The default configuration file includes configuration for Sysmon. If you do not have Sysmon installed Winlogbeat will log a warning that it could not read from the Microsoft-Windows-Sysmon/Operational channel. It will continue to read from the other configured channels. If you do install Sysmon at a later time then a restart of Winlogbeat is required to make it begin reading from the channel.

This module was built based on Sysmon v9 event manifests. It contains transformations for each of the defined event IDs.

Configuration

edit
winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
« Security Module Exported fields »