Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Well, the version makes all the difference. I set up a test system with server version 2.91, and agent version 2.90, and everything works nicely. Now to convince Alienvault to update their product... On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil wrote: > Thanks

[ossec-list] Re: How to research "Host-based anomaly detection event (rootcheck)."

I also get these alerts periodically. Running 'ps' afterwards doesn't ever find anything... rather frustrating. Is there another way to figure out what app/code is triggering them? Would be great if ossec could capture more about the process when it's encountered. { "rule": { "level": 7,

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Thanks Alberto, I did try using eventchannel, multi-line (with location of microsoft-windows-sysmon/operational, and the path to the evtx file), and eventlog, but I still get multiple line output in alerts.log (or "ERROR: Unable to open file", depending on the configuration). >From the reading I