Good to know. Thanks for sharing the issue, we will take into account in
the future.
Best regards,
On Tuesday, August 8, 2017 at 9:04:36 PM UTC+2, Kevin Geil wrote:
>
> Well, the version makes all the difference. I set up a test system with
> server version 2.91, and agent version 2.90, and
Well, the version makes all the difference. I set up a test system with
server version 2.91, and agent version 2.90, and everything works nicely.
Now to convince Alienvault to update their product...
On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil
wrote:
> Thanks
Thanks Alberto, I did try using eventchannel, multi-line (with location of
microsoft-windows-sysmon/operational, and the path to the evtx file), and
eventlog, but I still get multiple line output in alerts.log (or "ERROR:
Unable to open file", depending on the configuration).
>From the reading I
Hello Kevin
Following this document
http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be
able to read the multiple lines of sysmon events.
*Allowed:* multi-line: NUMBER
Hope it helps,
Best regards,
Alberto R.
--
---
You received this message because you are
So, I did find my problem, sort-of. The log is coming through in multiline
format, so when I grepped for "sysmon", I only got the first line and
missed all of the good info. I am using ossec in Alienvault, so that may
complicate things a bit. I know that what I need to do is to force ossec