Tales in Sysmon

Sysmon is an excellent free tool from Microsoft care of the talented Mark Russinovich. Essentially it takes an XML file that configures logging for lots of different events on windows, from network traffic through to the more important process monitoring. Essentially it will fingerprint every process, and map out the parent processes. It's great for incident response, if you don't have it, at least on key systems you're missing out.

This post is likely to be updated as I find issues.
I built up a process to do it at work, and on most systems it worked fine. On some systems it didn't. I had very little logs or events to troubleshoot it with. I was getting on the host a blank Sysmon log. The only linking factor was they were all windows servers.

Nothing Logged in Sysmon logs.

Doing some standard troubleshooting, uninstall, reboot, reinstall, reboot. No go.
Then I noticed the directory we'd deployed it to was were the sysmon service was pointing. Seems our install script set it to run from there.
I uninstalled and moved the exe to a different directory and it worked. Sysmon extracts a .sys driver file, that was unfortunately being overwritten by our deployment software, and not loading the driver, hence no logs. Hope this helps someone else.

Don't log your logger 

You want to reduce your noise into your SIEM, so make sure to not log processes started by your logger.