Good to know. Thanks for sharing the issue, we will take into account in the future.
Best regards, On Tuesday, August 8, 2017 at 9:04:36 PM UTC+2, Kevin Geil wrote: > > Well, the version makes all the difference. I set up a test system with > server version 2.91, and agent version 2.90, and everything works nicely. > Now to convince Alienvault to update their product... > > On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil <in...@friendandfamilytech.com > <javascript:>> wrote: > >> Thanks Alberto, I did try using eventchannel, multi-line (with location >> of microsoft-windows-sysmon/operational, and the path to the evtx file), >> and eventlog, but I still get multiple line output in alerts.log (or >> "ERROR: Unable to open file", depending on the configuration). >> >> From the reading I have done, it appears as if many people (including >> you, in your Wazuh blog post on this topic) have successfully monitored >> sysmon logs with just an eventchannel log format, so I still feel as I'm >> doing something wrong. My ossec server version is 2.8.3, and the agent >> shows version 2.8. My next step is to install version 2.9.1 on a different >> box just to see if that makes the difference, but, of course, any advice >> someone has to offer will be greatly appreciated. >> >> Thanks, >> Kevin >> >> On Mon, Aug 7, 2017 at 3:15 PM, <alberto....@wazuh.com <javascript:>> >> wrote: >> >>> Hello Kevin >>> >>> Following this document >>> http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be >>> able to read the multiple lines of sysmon events. >>> >>> *Allowed:* <log_format>multi-line: NUMBER</log_format> >>> >>> Hope it helps, >>> Best regards, >>> Alberto R. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.