Support Get Quote

Spot and stop malicious
activities with Sysmon log
analysis using EventLog Analyzer

  • -Select-
By clicking 'Get your free trial', you agree to processing of personal data according to the Privacy Policy.

Thank you for downloading!

Your download should begin automatically in 15 seconds.
If not, click here to download manually.


System Monitor (Sysmon) is a Windows logging add-on that offers granular logging capabilities and captures security events that are not usually recorded by default. It provides information on process creations, network connections, changes to file systems, and more. Analyzing Sysmon logs is essential to spot malicious activities and security threats.

ManageEngine EventLog Analyzer, a powerful log management solution, can centrally collect and monitor Sysmon logs from all Windows and Linux devices to ensure endpoint security.


Other solutions offered by EventLog Analyzer

  • Windows log management

    Collect, monitor, and analyze event log data to detect malicious activities using EventLog Analyzer. It provides you with actionable security information that can help you secure your network efficiently.

  • Syslog management

    Simplify syslog management with EventLog Analyzer. It can centrally collect, filter, and audit syslog messages obtained from various sources, and raise real-time alerts when a threat is detected.

  • IIS and Apache server log analysis

    Detect and mitigate web server attacks on your IIS and Apache web servers with the help of EventLog Analyzer. It also provides comprehensive, graphical reports on error events, security attacks, usage analytics, and more.

  • Database auditing

    Monitor and analyze database server activity, and get real-time alerts and detailed reports for common server attacks, such as SQL injection attacks and denial-of-service attacks.

  • Network device monitoring

    Prevent network intrusions by auditing activities on your perimeter devices. Gain in-depth insights into suspicious network events using EventLog Analyzer's predefined graphical reports.

  • File integrity monitoring

    Protect your company's sensitive data from unauthorized access and modifications with EventLog Analyzer. Get notified in real time when any unusual activity is detected.

reasons to choose EventLog Analyzer
for Sysmon log analysis


Using effective Sysmon log analysis, EventLog Analyzer detects known attack patterns such as privilege escalations and lateral movement.


Streamline network

With Sysmon log analysis, EventLog Analyzer helps streamline network traffic and detect malicious traffic.



Correlate process creation or modification events with threat intelligence or other security events to detect attacks at an early stage.


Securely store
Sysmon logs

Securely archive your Sysmon logs for future forensic investigation purposes and regulatory compliance requirements.



Analyze your network logs and find the root cause of a security breach using EventLog Analyzer's powerful log search engine.


Frequently asked questions

Where are Sysmon logs stored?

Sysmon log files can be located in the following file path:

In the Event Viewer, you can view Sysmon logs in Applications and Services Logs > Microsoft > Windows > Sysmon.

What are the important Sysmon event IDs I have to monitor?

Sysmon event IDs to monitor:

  • Event ID: 1    Process creation
  • Event ID: 2    A process changed a file creation time
  • Event ID: 3    Network connection
  • Event ID: 4     Sysmon service state changed
  • Event ID: 5     Process terminated
  • Event ID: 6     Driver loaded
  • Event ID: 7     Image loaded
  • Event ID: 8     CreateRemoteThread
  • Event ID: 9     RawAccessRead
  • Event ID: 10     ProcessAccess
  • Event ID: 11    FileCreate
  • Event ID: 12    RegistryEvent (Object create and delete)
  • Event ID: 13    RegistryEvent (Value Set)
  • Event ID: 14    RegistryEvent (Key and Value Rename)
  • Event ID: 15    FileCreateStreamHash
  • Event ID: 16     Sysmon config state changed
  • Event ID: 17     Pipe created
  • Event ID: 18     Pipe connected
  • Event ID: 19     WmiEventFilter activity detected
  • Event ID: 20     WmiEventConsumer activity detected
  • Event ID: 21     WmiEventConsumerToFilter activity detected
  • Event ID: 22     DNSEvent
  • Event ID: 23     FileDelete
  • Event ID: 24     ClipboardChange
  • Event ID: 25    Error

How to add Sysmon logs for monitoring in EventLog Analyzer

To monitor Sysmon logs in EventLog Analyzer, devices that have Sysmon installed in them can be added by navigating to Settings > Configuration > Manage Application Sources. Click here to learn more.

What is Sysmon?

Sysmon is a Windows system device that's designed to provide detailed information about Windows system activities in real time, which includes process creations, network connections, and changes to file creation time. It operates as a Windows service and device driver, which, once installed and configured, starts automatically with Windows. This ensures that monitoring persists through system reboots and is available from system startup to shutdown. This can give the user an understanding of the system and user behavior, which can later be used for attack detection, anomaly detection, and forensic analysis.

What is Sysmon used for?

Sysmon can be used to monitor and log a wide variety of system activity, including process creation and termination, network connections, file and registry changes, DNS queries, and so on. This can be used to detect and investigate malware infections and track the behavior of attackers. Sysmon logs are of a great help in gaining insights of the how the systems in place are being used.

What are the benefits of using Sysmon?

Sysmon logs enhance visibility into your network by providing detailed insights into a wide range of system activities. This comprehensive logging can help you identify anomalies and suspicious behavior that could indicate a security breach. Moreover, Sysmon logs can be effectively integrated with log management solutions to provide a centralized view of security events across your network, which can help you correlate events from different sources, identify potential threats, and streamline incident response.

Ratings and reviews

Recognized and loved globally

Amazing event monitoring software
The best part of ManageEngine EventLog Analyzer is that the interface is very intuitive and quick to grasp.

Administrator Information technology and services

Great for centralizing all your windows machines. You can flag certain events to trigger different actions of your choosing.

Joseph L IT manager

EventLog Analyzer is able of monitor file integrity, analyze log data, track privileged users and examine data logs. The software is secure as it uses latest encryption technologies.

Sophie S eAfrica Solutions, administrator

I am very happy with my experience of using the EventLog Analyzer as after the very installation, it alerted my team about potential threats that were near to attack the servers. Also, It has reduced manual work on my business applications, hence, saving a lot of time and effort in the safeguarding process.

Knowledge specialist Communications industry

Great log management suite. I loved how easy this software was to configure. I had all my logs pointed to it and flowing nicely in no time at all. It makes it very easy to look at your data and get a grasp of what is happening on your network.


Great for centralizing all your windows machines. You can flag certain events to trigger different actions of your choosing.

Joseph L IT manager

Choose EventLog Analyzer to

monitor your Sysmon logs

Download now

A Single Pane of Glass for Comprehensive Log Management

EventLog Analyzer Trusted By

Los Alamos National Bank Michigan State University
Panasonic Comcast
Oklahoma State University IBM
Accenture Bank of America
Ernst Young

Customer Speaks

  • Credit Union of Denver has been using EventLog Analyzer for more than four years for our internal user activity monitoring. EventLog Analyzer provides great value as a network forensic tool and for regulatory due diligence. This product can rapidly be scaled to meet our dynamic business needs.
    Benjamin Shumaker
    Vice President of IT / ISO
    Credit Union of Denver
  • The best thing, I like about the application, is the well structured GUI and the automated reports. This is a great help for network engineers to monitor all the devices in a single dashboard. The canned reports are a clever piece of work.
    Joseph Graziano, MCSE CCA VCP
    Senior Network Engineer
  • EventLog Analyzer has been a good event log reporting and alerting solution for our information technology needs. It minimizes the amount of time we spent on filtering through event logs and provides almost near real-time notification of administratively defined alerts.
    Joseph E. Veretto
    Operations Review Specialist
    Office of Information System
    Florida Department of Transportation
  • Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application.
    Jim Lloyd
    Information Systems Manager
    First Mountain Bank

Awards and Recognitions

A Single Pane of Glass for Comprehensive Log Management