I am currently running 2.9RC2 on both client and server: What is the best way to go about testing an eventchannel log? I have the following set in my local ossec.conf on my windows agent:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile> I am using the default sysmon decoder included on my server: <decoder name="Sysmon-EventID#1"> <type>windows</type> <prematch>INFORMATION\(1\)</prematch> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> <order>status,user,url,data</order> </decoder> I modified the default sysmon rule so that I would capture all process creates by setting the level to 1: <rule id="184700" level="1"> <if_sid>18100</if_sid> <description>Sysmon - Process Create Event</description> </rule> I would think that i would now see all process creates in my alerts.log but unfortunately I don't see any sysmon events at all. Any idea on the best way to troubleshoot this? Thank you! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
