IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Security Module Exported fields »
Elastic Docs Winlogbeat Reference [8.8] Modules

Sysmon Module

edit

Sysmon Module

edit

The sysmon module processes event log records from the Sysinternals System Monitor (Sysmon) which is a Windows service and device driver that logs system activity to the event log. Sysmon is not bundled with Windows or Winlogbeat and must be installed independently.

The default configuration file includes configuration for the Sysmon channel. If you do not have Sysmon installed Winlogbeat will log a warning that it could not read from the Microsoft-Windows-Sysmon/Operational channel. It will continue to read from the other configured channels. If you do install Sysmon at a later time then a restart of Winlogbeat is required to make it begin reading from the channel.

This module was built based on Sysmon v13 event manifests. It contains transformations for each of the defined event IDs.

Configuration

edit
winlogbeat.event_logs:
  - name: Microsoft-Windows-Sysmon/Operational

output.elasticsearch.pipeline: winlogbeat-%{[agent.version]}-routing

All module processing is handled via Elasticsearch Ingest Node pipelines. See Setup of Ingest Node pipelines for details.
« Security Module Exported fields »