[ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

[Kevin Geil]

So, I did find my problem, sort-of.  The log is coming through in multiline 
format, so when I grepped for "sysmon", I only got the first line and 
missed all of the good info.  I am using ossec in Alienvault, so that may 
complicate things a bit.  I know that what I need to do is to force ossec 
to use a single line for output, but can't quite figure it out.  From what 
research I've done, I need to make a global settings change, but I can't 
quite figure out where.  Hopefully someone can help.

My current global config is as follows:

 <global>
    <email_notification>no</email_notification>
    <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: 
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; 
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: 
"[INIT]$FULLLOG[END]"; </custom_alert_output>
  </global>

Thanks,

Kevin




On Thursday, August 3, 2017 at 2:55:35 PM UTC-4, Kevin Geil wrote:
>
> Hi, I'm trying to get OSSEC to alert on sysmon logs.  After installing 
> sysmon, and setting <logall> to yes, I do get sysmon events in 
> archives.log, but I don't get anything useful.  The lines stop after the 
> event description: For example:
>
> 2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:38 
> WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(3): no source: 
> SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Network connection detected:
> 2017 Aug 03 00:00:53 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:56 
> WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: 
> SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
> 2017 Aug 03 00:00:55 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03 00:00:58 
> WinEvtLog: Microsoft-Windows-Sysmon/Operational: Information(5): no source: 
> SYSTEM: NT AUTHORITY: Win7-1.testdomain.local: Process terminated:
>
> The events do show srcIP, dstIP, port info, etc in windows.
>
> Is it possible that I'm missing something in my agent.conf?  When I search 
> Google for ossec and Sysmon, I do see that others get full log lines.
>
> As always, any help will be greatly appreciated.
>
> Thank you.
>
> Kevin
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.