Hi, I'm trying to get OSSEC to alert on sysmon logs. After installing sysmon, and setting <logall> to yes, I do get sysmon events in archives.log, but I don't get anything useful. The lines stop after the event description: For example:
2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:38 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(3): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Network connection detected: 2017 Aug 03 00:00:53 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:56 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated: 2017 Aug 03 00:00:55 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:58 WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated: The events do show srcIP, dstIP, port info, etc in windows. Is it possible that I'm missing something in my agent.conf? When I search Google for ossec and Sysmon, I do see that others get full log lines. As always, any help will be greatly appreciated. Thank you. Kevin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
