Well, the version makes all the difference. I set up a test system with server version 2.91, and agent version 2.90, and everything works nicely. Now to convince Alienvault to update their product...
On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil <i...@friendandfamilytech.com> wrote: > Thanks Alberto, I did try using eventchannel, multi-line (with location of > microsoft-windows-sysmon/operational, and the path to the evtx file), and > eventlog, but I still get multiple line output in alerts.log (or "ERROR: > Unable to open file", depending on the configuration). > > From the reading I have done, it appears as if many people (including you, > in your Wazuh blog post on this topic) have successfully monitored sysmon > logs with just an eventchannel log format, so I still feel as I'm doing > something wrong. My ossec server version is 2.8.3, and the agent shows > version 2.8. My next step is to install version 2.9.1 on a different box > just to see if that makes the difference, but, of course, any advice > someone has to offer will be greatly appreciated. > > Thanks, > Kevin > > On Mon, Aug 7, 2017 at 3:15 PM, <alberto.rodrig...@wazuh.com> wrote: > >> Hello Kevin >> >> Following this document http://ossec-docs.readthedocs. >> io/en/latest/manual/monitoring/ you'll be able to read the multiple >> lines of sysmon events. >> >> *Allowed:* <log_format>multi-line: NUMBER</log_format> >> >> Hope it helps, >> Best regards, >> Alberto R. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.