SYSMON Configuration Syntax

This Configuration is for use on WINDOWS only

The SYSMON Configuration is used for the File, System and Registry operations of Management Server.

SUBSYS SYSMON

FILEINCL (<str>)
FILEEXCL (<str>)
FILELOGREAD ({YES | NO })
FILELOGWRITE ({YES | NO})
HNDMAXREC (<max-rec>)
HNDDETAIL ({YES | NO})
REGINCL (<str>)
REGEXCL (<str>)
REGLOGRE ({YES | NO})
REGLOGWR ({YES | NO})
REGLOGAU ({YES | NO})

Syntax Elements

NTFileOperation

FILEINCL

<str>The wild card of the files to be scanned. Default is * to scan all files and directories. If you need to scan all executable files, add, *.exe*, *.dll*. Putting an asterisk at the end is essential, as this is how the Systems Internals driver works.

FILEEXCL

<str>The wild card of the files to be excluded from being scanned. Default is for no exclusion. If you need to exclude scanning all executable files, add, *.exe*, *.dll*. Putting an asterisk at the end is essential, as this is how the Systems Internals driver works.

FILELOGREAD

{YES | NO }

YES, to monitor the Read operation of the files/directories
NO, to exclude monitoring of the Read operation of the files/directories

Default = YES

FILELOGWRITE

{YES | NO }

YES, to monitor the Write operation of the files/directories
NO, to exclude monitoring of the Write operation of the files/directories.

Default = YES

NTHandle

HNDMAXREC

<max-rec>

The maximum number of records to be sent to the Windows Client per interval.

Default is 1000

HNDDETAIL

{YES | NO}

YES, to get the detailed information of handles during handles collection.
NO, to exclude the details information of handles during handles collection.
By handles details, we mean the MUTANT, THREAD, PROCESS, SEMAPHORE, SECTION etc. information.

Default = YES

NTRegistryOperation

REGINCL

<str>

The wild card of the registry keys to be monitored. Putting an asterisk at the end is essential as this is how the Systems Internals driver works.

Default is "HKLM\*".

REGEXCL

<str>

The wild card of the files to be excluded from being monitored. Putting an asterisk at the end is essential, as this is how the Systems Internals driver works.

Default is for no exclusion.

The '*' wildcard matches arbitrary strings, filters are case-insensitive. Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed. Use ';' to separate multiple filter component strings (e.g. *CurrentControl*;*Software*). For example, if the include filter is HKLM\*, and the exclude filter is HKLM\System*, all references to keys and values under HKLM\, except to those under HKLM\System would be monitored.

REGLOGRE (YES or NO)

{YES | NO}

YES, to monitor the read registry operations:
                                EnumerateKey,
                                EnumerateValue,
                                QueryKey,
                                QueryValue,
                                LoadKey,
                                UnloadKey,
                                CreateKey
NO, to exclude monitoring of the read operations.

Default = YES

REGLOGWR (YES or NO)

{YES | NO}

YES, to monitor the write registry operations:
                                DeleteKey,
                                DeleteValue,
                                SetValue,
                                CreateKey (successful ones)
NO, to exclude monitoring of the write operations.

Default = YES

REGLOGAU

{YES | NO}

YES, to monitor the auxiliary registry operations:
                                OpenKey,
                                CloseKey,
                                FlushKey
NO, to exclude monitoring of the auxiliary operations.

Default = YES

Provide feedback on this article