Hello Kevin Following this document http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be able to read the multiple lines of sysmon events.
*Allowed:* <log_format>multi-line: NUMBER</log_format> Hope it helps, Best regards, Alberto R. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
