...
Sysmon logs all activity to the Windows event log, in recent versions of Windows (Vista and above) the log data can be found in “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational" (on older systems, events are written to the “System" event log). With Sysmon log data stored in the Windows event log, Snare agents can be easily configured to collect and send this data to all configured destinations. The standard windows policies will collect and send al the custom event logs which includes sysmon type events.
Sysmon Installation/Configuration
...