On Thu, Jul 28, 2016 at 11:24 PM, Craig <[email protected]> wrote: > I am currently running 2.9RC2 on both client and server: > > What is the best way to go about testing an eventchannel log? I have the > following set in my local ossec.conf on my windows agent: > > > <localfile> > > <location>Microsoft-Windows-Sysmon/Operational</location> > > <log_format>eventchannel</log_format> > > </localfile> > > > I am using the default sysmon decoder included on my server: > > > <decoder name="Sysmon-EventID#1"> > > <type>windows</type> > > <prematch>INFORMATION\(1\)</prematch> > > <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: > (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* > \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* > \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> > > <order>status,user,url,data</order> > > </decoder> > > > I modified the default sysmon rule so that I would capture all process > creates by setting the level to 1: > > > <rule id="184700" level="1"> > > <if_sid>18100</if_sid> > > <description>Sysmon - Process Create Event</description> > > </rule> > > > > I would think that i would now see all process creates in my alerts.log but > unfortunately I don't see any sysmon events at all. Any idea on the best way > to troubleshoot this? Thank you! >
Turn on the logall option on the server, restart the OSSEC processes on the server, and watch the archives.log. When you find a sysmon log, you can use that with ossec-logtest to try and figure out what is going on. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
