Thanks Alberto, I did try using eventchannel, multi-line (with location of microsoft-windows-sysmon/operational, and the path to the evtx file), and eventlog, but I still get multiple line output in alerts.log (or "ERROR: Unable to open file", depending on the configuration).
>From the reading I have done, it appears as if many people (including you, in your Wazuh blog post on this topic) have successfully monitored sysmon logs with just an eventchannel log format, so I still feel as I'm doing something wrong. My ossec server version is 2.8.3, and the agent shows version 2.8. My next step is to install version 2.9.1 on a different box just to see if that makes the difference, but, of course, any advice someone has to offer will be greatly appreciated. Thanks, Kevin On Mon, Aug 7, 2017 at 3:15 PM, <alberto.rodrig...@wazuh.com> wrote: > Hello Kevin > > Following this document http://ossec-docs.readthedocs. > io/en/latest/manual/monitoring/ you'll be able to read the multiple lines > of sysmon events. > > *Allowed:* <log_format>multi-line: NUMBER</log_format> > > Hope it helps, > Best regards, > Alberto R. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.