How to install Sysmon for use with Wazuh
Posted on August 18, 2025 | by | in Wazuh

Wazuh is an open-source security platform that acts like a central watchdog for IT environments. It collects data from servers, endpoints, cloud systems, and containers, then analyzes that information to detect threats, vulnerabilities, and unusual behavior. By monitoring logs, file changes, and system activity, it helps organizations stay aware of security risks and compliance requirements. Paired with tools like Elasticsearch and Kibana, Wazuh provides a searchable database and visual dashboards, making it easier to investigate incidents and maintain oversight. In essence, it’s a flexible and cost-effective alternative to commercial SIEM solutions that strengthens security visibility and response.

Download Sysmon

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Download Config File

https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml

Create a new folder, C:\sysmon. Place Sysmon files and config in new folder

PowerShell > CD into the sysmon folder

				
					.\sysmon.exe -i sysmonconfig.xml

Stop Wuzah Agent Service

Edit ossec.conf and add under syslog section add the following:

				
					<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>

Step 2

In the ossec.conf file, search for file Integrity Monitoring, add the following.

				
					<directories check_all="yes" report_changes="yes" realtime="yes">C:\Shared</directories>

Leave a Reply

Your email address will not be published. Required fields are marked *