What is Sysmon¶
Sysmon (System Monitor) is a free, advanced system monitoring tool developed by Mark Russinovich and Tomas Garnier, with contributions from David Magnotti, Mark Cook, Rob Mead, Giulia Biagini, Alex Mihaiuc, Kevin Sheldrake, and John Lambert.
Originally, Sysmon was created for internal use at Microsoft, but it is now widely used by security professionals to enhance visibility into system activity and detect abnormal behavior or potential threats.
Sysmon enables defenders to better detect suspicious activity by monitoring and logging a broad range of system events, such as process creation, network connections, and changes to files or registry keys. These logs are especially valuable for security investigations and threat detection.
Sysmon on Windows¶
Sysmon for Windows supports ARM, x64 and x86 systems. Installation and configuration are managed through a single command-line tool. When installed, Sysmon logs events to the Microsoft-Windows-Sysmon/Operational Event Log.
Windows Supported Event Types¶
The following table lists the event types and corresponding event IDs generated by Sysmon on Windows systems:
| Event Type | Event ID |
|---|---|
| Sysmon Service Status Changed | 0 |
| Process Create | 1 |
| File Create Time | 2 |
| Network Connect | 3 |
| Service State Change | 4 |
| Process Terminate | 5 |
| Driver Load | 6 |
| Image Load | 7 |
| Create Remote Thread | 8 |
| Raw Access Read | 9 |
| Process Access | 10 |
| File Create | 11 |
| Registry Object Added or Deleted | 12 |
| Registry Create | 13 |
| Registry Rename | 14 |
| File Create Stream Hash | 15 |
| Sysmon Config Change | 16 |
| Named Pipe Create | 17 |
| Named Pipe Connected | 18 |
| WMI Event Filter | 19 |
| WMI Event Consumer | 20 |
| WMI Consumer to Filter | 21 |
| DNS Query | 22 |
| File Delete | 23 |
| Clipboard Capture | 24 |
| Process Tampering | 25 |
| File Delete Detected | 26 |
| Error | 255 |
Sysmon on Linux¶
Sysmon for Linux is an open-source adaptation, designed to collect similar security-relevant events from Linux environments. It leverages eBPF (Extended Berkeley Packet Filter) to efficiently monitor system activity at the kernel level.
Sysmon for Linux can be compiled from source or installed via your distribution’s package manager. Currently supported distributions include:
- Ubuntu
- Debian
- Red Hat Enterprise Linux
- Fedora Linux
- openSUSE
- SUSE Linux Enterprise Server
Sysmon logs events to the native system logging facility (such as journald). The scope of supported events is narrower compared to Windows, due to differences in operating system architecture.
Linux Supported Event Types¶
The following table lists the event types and event IDs currently supported by Sysmon on Linux:
| Event Type | Event ID |
|---|---|
| Sysmon Service Status Changed | 0 |
| Process Create | 1 |
| Network Connect | 3 |
| Service State Change | 4 |
| Process Terminate | 5 |
| Raw Access Read | 9 |
| File Create | 11 |
| Sysmon Config Change | 16 |
| File Delete | 23 |
Sysmon for Linux uses the sysinternalsEBPF library to capture file and network activities. eBPF allows execution of custom code at the kernel level, enabling efficient and secure event collection without requiring kernel modules.
Both sysinternalsEBPF and Sysmon for Linux are open source projects, allowing the community to contribute and extend their features. You can find the projects and source code on GitHub:
- Sysmon for Linux
- sysinternalsEBPF library
Further Resources¶
Sysmon is a vital tool for defenders looking to increase their visibility into system activities and detect security threats on both Windows and Linux platforms.