<# .SYNOPSIS Idempotenter Sysmon-Install/Update fuer Wazuh-Telemetrie (Netsource MSP) .DESCRIPTION Laedt Sysmon64.exe + Config von dl.netsource.de. - Service Sysmon64 nicht da: -accepteula -i installieren - Service da: -c Config-Update (idempotent) .NOTES PowerShell 5.1+. Exit: 0=OK, 1=Download-Fail, 2=Install-Fail, 3=Service-Verify-Fail #> param( [string]$BinaryUrl = "https://dl.netsource.de/sysmon/Sysmon64.exe", [string]$ConfigUrl = "https://dl.netsource.de/sysmon/sysmonconfig.xml" ) $ErrorActionPreference = 'Stop' $ProgressPreference = 'SilentlyContinue' $dir = "$env:ProgramData\Netsource\Sysmon" $null = New-Item -ItemType Directory -Force -Path $dir $bin = Join-Path $dir 'Sysmon64.exe' $cfg = Join-Path $dir 'sysmonconfig.xml' try { Invoke-WebRequest -Uri $BinaryUrl -OutFile $bin -UseBasicParsing Invoke-WebRequest -Uri $ConfigUrl -OutFile $cfg -UseBasicParsing } catch { Write-Error ("Download fail: " + $_.Exception.Message) exit 1 } $svc = Get-Service -Name Sysmon64 -ErrorAction SilentlyContinue try { if ($svc) { Write-Output "Sysmon64 schon installiert -> Config-Update" & $bin -c $cfg } else { Write-Output "Sysmon64 frische Installation" & $bin -accepteula -i $cfg } } catch { Write-Error ("Install/Update fail: " + $_.Exception.Message) exit 2 } Start-Sleep -Seconds 3 $svc = Get-Service -Name Sysmon64 -ErrorAction SilentlyContinue if (-not $svc -or $svc.Status -ne 'Running') { Write-Error "Sysmon64 Service nicht Running" exit 3 } $verLine = "" try { $verLine = ((& $bin -ver) 2>&1 | Select-String -Pattern '^Sysmon v.*' | Select-Object -First 1).ToString() } catch { } Write-Output ("OK " + $verLine + " ServiceStatus=" + $svc.Status) exit 0