Hi.
I noticed a workstation is not sending any sysmon events. process start events are showing. How can I reinstall or fix sysmon deployed with the R7 agent? I thought I read somewhere the the agent “heals” itself?
I noticed that the “Sysmon64” services is “Disabled”.
I just endabled “DEBUG” in the config.json file and restarted the Rapid7 Service. Ill let it run and check the log files in a bit.
For Sysmon troubleshooting we would recommend reviewing the Sysmon Installer logs (they come with the log package if you hit Collect logs from agent mgmt)
The sysmon installer is responsible for installing and ensuring Sysmon is Running, however if something else is interfering or owning the sysmon install the sysmon installer may run into difficulties.
David
I think it’s having issues updating sysmon. Can I upload the sysmon installer log file in this post?
The service Sysmon64 is already registered. Uninstall Sysmon before reinstalling.
*. Stderr: *
. ExitCode: 1242
Error code: 1242
I’d suggest a support ticket instead to maintain privacy
David
I ended up manually deleting the service and sysmon.exe, restarting the R7 service. It’s working now.
Great news!
David