Sysmon Installation

Create a folder on the C: Drive called Sysmon. Download Sysmon

Sysmon Sysinternals Link

Download the XML File

wget https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -outfile sysmonconfig.xml

Install Sysmon64

.\sysmon64.exe -accepteula -i .\sysmonconfig.xml

In the ossec agent file, add (in the section near the bottom):

<!-- Sysmon added as a log source -->
<localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
</localfile>

Restart the Wazuh Agent

Restart-Service WazuhSvc