***Please review all of the instructions and setup videos before scrolling down to download the Sysmundo installer.**
RDPSoft™ Sysmundo™ Version 1.x Release Notes
Where Should I Install Sysmundo?
We recommend installing Sysmundo on a Windows Server Operating System, preferably Windows Server 2012 R2, Server 2016, Windows Server 2019, or Windows Server 2022.
The above system should have good connectivity to other servers and workstations in your Windows domain, so that it can communicate with them over Dynamic RPC and WinRM in order to deploy Sysmon and collect Sysmon log data. Hardware firewalls in between the Sysmundo system and other systems in your environment could cause issues.
Supported Operating Systems:
Installation is supported on the following operating systems:
- Windows Server 2012 R2*
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows 10
- Windows 11
*If you wish to use Sysmundo with SQL Express, use a different operating system than Server 2012 R2, as SQL Express 2019 cannot be installed on Server 2012 R2.
Hardware Requirements for Main Installation System
- CPU: 2 or more vCPUs or Cores recommended.
- RAM: 4GB+ recommended minimum
- Available Disk Space for installation: 300 MBs
- Minimum Disk Space for log storage and SQL database: 15 to 30GBs.
Notes on performance: The more processing horsepower you have, the faster Sysmundo can parse through saved Sysmon logs during analysis and during indexing operations into SQL. The more RAM you have, the larger a data set of saved “hot storage” logs you will be able to review at the same time during an analysis session. If the system becomes RAM constrained (watch Sysmundo.exe’s memory in Task Manager), the program may temporarily go unresponsive while swapping memory to the page file on disk.
In terms of disk space, you should have at least enough storage available to temporarily store 7 days of saved Sysmon data from all Windows systems being archived by Sysmundo, PLUS another 10GBs of space for SQL Express. Data past 7 days will be kept compressed in Sysmundo’s “cold storage” area, which can be a UNC path elsewhere on the network.
We recommend keeping archived logs on a fast storage medium (e.g. SSD/flash, etc) for quickest parsing and data analysis.
Permissions, Windows Firewall Exceptions, and the Remote Registry Service
When setting the Sysmundo service account, choose a domain account that has local Administrator rights on the system where you are installing Sysmundo, and also which has Administrator rights on the Windows systems it is archiving Sysmon logs from.
If you do not already have a Group Policy defined for Windows Firewall Exceptions in your domain, do so, and make sure that the following Windows Firewall Exceptions are enabled:
Remote Event Log Management
Remote Service Management
Also, make sure that WinRM is enabled on any servers and workstations that Sysmundo will archive Sysmon logs from. WinRM is the default communication channel used by Sysmundo for log archiving and transfer. WinRM is enabled by default on Windows servers, but not on Windows workstations. You can enable WinRM via Group Policy and other mechanisms as described here.
Note: Sysmundo also has the capability to enable WinRM and Windows Firewall Exceptions remotely via the Sysinternals PSExec utility as part of its Sysmon Deployment Wizard, however, this can take a long time as compared to setting a central GPO to enable these items at the beginning.
Finally, if you are using Sysmundo with Windows workstations (e.g. Windows 10/Windows 11), set a group policy that re-enables the Remote Registry service, which is disabled by default. The Remote Registry service must be accessible to redeploy Sysmon with PSExec (e.g. uninstall older versions and reinstall new versions).
Sysinternals Tools Prerequisites
If you install Sysmundo on a system with Internet access, it will automatically attempt to download the Sysmon and PSExec utilities from the Sysinternals website at startup, and will also periodically check for updates.
If you are installing Sysmundo on a closed network or a network that blocks outbound Internet access, you will need to download the following programs from https://live.sysinternals.com and then “sneaker net” those files along with the Sysmundo setup package below into the closed network:
Sysmon.exe
Sysmon64.exe
PSExec.exe
PSExec64.exe
Once Sysmundo is installed on a system in your closed network, please place the four files above in the \Program Files\RDPSoft\Sysmundo\Tools directory.
Initial Setup of Sysmundo (How To Video)
Differences Between the Free and Licensed Versions of Sysmundo
The free version of Sysmundo always allows you to:
- Deploy, reconfigure, and uninstall Sysmon to/from Windows systems with Sysmon XML config files
- Build logical computer groupings (by AD OU, manually, etc) to assist with deploying Sysmon
Also, for the first 15 days after downloading, you can prepare reports on and analyze *live* Sysmon log data from up to 3 computers at a time. After 15 days, you will need to purchase a license for continued access to the analysis features.
The licensed version of Sysmundo provides the same features as the free version, but also:
- Allows you to automatically archive Sysmon logs to the Sysmundo server once a day or several times a day
- Maintains a cold and hot storage repository of archived log files for analysis
- Indexes archived Sysmon data into SQL, which allows you to rapidly retrieve specific sets of data from specific sets of users for analysis across all gathered logs
- Allows you to analyze data from live logs or archived logs, with no limit on the number of computers analyzed at once (other than your license counts)
- Allows you to schedule reports against the prior day collected Sysmon log data
