SysMon Documentation

SysMon is a generic system monitoring tool. It captures a range of events in real time, processes them, and enables their viewing. SysMon is built as extendable and a very flexible platform. SysMon is a client server system. The event collection is the server side and is performed by a resident service with a very small foot print. The client is a windows application responsible of the graphic user interface. The client connects to the server through TCP/IP.

SysMon Plug-ins

The capturing of events is performed by pluggable software modules called SysMon plug-ins. Each plug-in is responsible of capturing a certain type of events. The plug-ins currently available are:

Debug Output: captures debug output from software
Events: captures system events
IIS: captures hits on the Internet information services web server
Log4j: captures debug messages from Java applications through log4j
Cron: Generates events every configurable amount of time thus enables activating logic at any desired interval.
Performance counters: Collects information from any component capable of emitting data through windows performance counters interface.

SysMon Processors

SysMon processors are pluggable software modules responsible of processing the captured events. The currently available are:

Scripting Engine: Capable of executing custom logic in javascript.

File-System Log: writes the events to the file system.

The processors are arranged in a tree structure. Each level in the tree will process each event and then route it to its child processors. This tree structure is called a flow.

SysMon Client Overview

SysMon client is responsible of the graphical user interface of the system. Launching the client can be done in several methods:

By double clicking on the SysMon taskbar icon
By right clicking on the SysMon taskbar icon and selecting open from the popup menu.
By the Windows Start Menu->Programs->SysMon->SysMon Viewer
By double clicking on SysMon.exe in windows explorer

The SysMon client connects to the SysMon server through TCP/IP protocol.

Here is the client main screen:

Each line represents an event. By double clicking on an event, the event details window is opened:

File->Connect

Use this operation in order to connect to a SysMon server on the network.

IP/Name: type the IP address or the host name of the computer on which the SysMon server you wish to connect to is running. The drop-down list contains recent computers that where connected to from this client.

Port: The TCP/IP port which the SysMon server is configured to listen on. The default is 8500.

Password: The password that is configured on the SysMon server. When connecting to the SysMon server on the local host, the password is not needed and is ignored.

Remember Password: Check if you with the password to be saved on this client machine.

In order for a connect operation to succeed, the following conditions must be met:

SysMon Server must be running on the computer that you are trying to connect to
The network must enable TCP/IP connection between the client and the server
The SysMon Server must be configured to enable remote connections from the client
The password used must match the configured password on the SysMon server

If the client is already connected to a SysMon server, it will first disconnect from it.

File->Connect Local

Use this operation in order to connect to a SysMon server on the local host. If the SysMon server is not running, the client will attempt to launch it.

If the client is already connected to a SysMon server, it will first disconnect from it.

File->Disconnect

Use this operation in order to disconnect the client from the server. If the client is currently viewing a file, the file will be closed.

File->Save

Use this operation in order to save any changes made to the file being viewed.

File->Save As

Use this operation in order to save any changes made to the file being viewed into another file name.

The selection only option will save only the selected lines.

File->Open File

Use this operation in order to open a previously saved SysMon log file.

File->Recent File

Use this operation in order to open a previously saved SysMon log file that was recently opened in the client.

File->Print

Use this operation in order to print the log.

File->Exit

Use this operation in order to exit the SysMon client. Closing the client will not close the server. The server will continue monitoring the system while the client is closed.

Edit->Undo

Use this operation in order to undo the last deletion performed.

Edit->Cut

Use this operation in order to delete the selected lines from the log and place them in the clip board. This enables a paste operation.

Edit->Copy

Use this operation in order to copy the selected lines from the log to the clip board. This enables a paste operation.

Edit->Delete

Use this operation in order to delete the selected lines from the log.

Edit->Delete All

Use this operation in order to delete all the data from the log.

Edit->Select All

Use this operation in order to select all the lines in the log.

Edit->Find

Use this operation in order to find information in the log.

Text to find: type the text you wish to find.

Match whole word only: will only find the typed text if it is a complete word.

Match case: find the text only if there is a precise match in letters case.

Regular expression: accept regular expression in the typed text in order to extend the search capabilities. Click on the black arrow to the right of the text input line in order to open a menu with all the different regular expressions you can use:

Name	Regular Expression	Description
Any Character	.	Accept any single character
Character in/Not in Range	[ ]	Any one of the characters contained in the brackets, or any of an ASCII range of characters separated by a hyphen (-). For example, x[abc]y matches xay, xby and xcy, and r[eo]+d matches red, rod, reed, and rood, but not reod or roed. x[0-9] matches x0, x1, x2, and so on. If the first character in the brackets is a caret (^), then the regular expression matches any characters except those in the brackets
Beginning of line	^	Match text only if it starts at the beginning of the line. For example, ^abc
End of line	$	Match text only if it ends at the end of the line. For example, xyz$
Or	\\|	Or. For example abc\\|xyz will match either abc or xyz.
0 or More Matches	*	Match any number of occurrences of the expression preceding the . For example, HTP will match HTTP and HP.
1 Or More Matches	+	Match at least one occurrence of the expression preceding the +. For example, HT+P will match HTTP but not HP.
Group	\{\}	Any sequence of characters between the escaped braces. For example, \{ju\}+fruit finds jufruit, jujufruit, jujujufruit, and so on. Note that it will not find jfruit, ufruit, or ujfruit, because the sequence ju is not in any of those strings
Word Bound	\b	Word bound. For example, \bed will find education but not medical
Not Word Bound	\B	Not word bound. For example, \Bed will find medical but not education

The regular expression menu includes some pre-set combinations for convenience:

Name	Regular Expression
Whitespace	[ \t]
Alphanumeric character	[0-9a-zA-Z]
Alphabetic character	[a-zA-Z]
Decimal digit	[0-9]
Hexadecimal digit	[0-9a-fA-F]

Direction: Up or Down. Search for the next match in older events relative to the currently selected event (Up) or in newer events (Down).

Source: type text to be matched in the event source column. If left blank, all sources are matched.

Edit->Find Next

Use this operation in order to find the next match of the current find parameters. If the SHIFT key is held together with F3, the current search direction is reversed.

Edit->Find Prev

Use this operation in order to find the previous match of the current find parameters. If the SHIFT key is held together with F3, the current search direction is reversed.

Edit->Toggle Bookmark

Use this operation in order to toggle the bookmark state at the current log line. This means that if in the current log line there is no bookmark, a bookmark will be set and visa versa. Setting a bookmark on a log line allows quick finding of that line by using the Next Bookmark and Prev Bookmark commands.

Edit->Next Bookmark

Use this operation in order to jump to the next bookmark.

Edit->Prev Bookmark

Use this operation in order to jump to the previous bookmark.

Edit->Remove All Bookmarks

Use this operation in order to delete all the bookmarks.

View->Toolbar

Use this operation in order to toggle the visibility state of the toolbar.

View->Status Bar

Use this operation in order to toggle the visibility state of the Status Bar.

View->Auto Scroll

Use this operation in order to toggle the log auto scroll feature. When auto scroll is enabled, the log will automatically scroll in order to make every new line added to it visible.

View->Always on top

Use this operation in order to toggle the always on top feature. When always on top is enabled, SysMon window will become always on top of other windows. It may still be covered by other windows that are also marked as always on top.

View->Filter/Highlight

This option opens the View Filters page in the settings dialog.

This configuration page enables to either highlight/decorate log lines or to hide them based on find criteria. See find for details.

View->Font

This option opens windows standard font selection dialog:

Use this dialog to select the desired font to user in order to show the log data. This font will also be used for printing.

Tools->Settings

This option opens the settings dialog. See Configuration for details.

Help->Contents

This option will open the help contents:

Help->Index

This option will open the help index:

Help->SysMon Web Homepage

This option will open the default web browser and will navigate to http://www.sysmon.com

Help->Check for Updates

This option will connect to http://www.sysmon.com and will check for new updates.

Help->About SysMon

This option will open the about dialog:

SysMon Server Overview

SysMon server is implemented as a system service. It can automatically start when the operating system is started. The server listens on a TCP/IP port (the default port is 8500) for incoming client connections. Multiple clients may connect to the server concurrently. The server performs event collection through special modules called SysMon plug-ins. Once an event is captured, it is processed by SysMon processors. A processor is a software module that receives a notification for each event captured. It can then process this event. After processing the event, the event is routed to the next processors that forming a processing flow. This mechanism forms a very flexible event capturing and processing system.

Management

SysMon is resident in a system service.

Stopping SysMon service:

Open a command console by Start->Run, type ‘ cmd’<enter>
Type ‘net stop SysMonSvc’<enter>

Starting SysMon service:

Open a command console by Start->Run, type ‘cmd’<enter>
Type ‘net start SysMonSvc’<enter>

The SysMon service is configured by default to start automatically on system startup.

Configuration Overview

Configuration of SysMon is performed by a SysMon client application. In order to configure a server, the client has to connect to it first. Connecting to a server running on the same machine as the client does not require any password. Connecting to a remote server requires both a password and proper security settings on the server. The server must also allow remote configuration.

You configure SysMon through the settings dialog:

Use this dialog to configure both SysMon client and server. The client configuration includes: