Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Good to know. Thanks for sharing the issue, we will take into account in the future. Best regards, On Tuesday, August 8, 2017 at 9:04:36 PM UTC+2, Kevin Geil wrote: > > Well, the version makes all the difference. I set up a test system with > server version 2.91, and agent version 2.90, and

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Well, the version makes all the difference. I set up a test system with server version 2.91, and agent version 2.90, and everything works nicely. Now to convince Alienvault to update their product... On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil wrote: > Thanks

Re: [ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Thanks Alberto, I did try using eventchannel, multi-line (with location of microsoft-windows-sysmon/operational, and the path to the evtx file), and eventlog, but I still get multiple line output in alerts.log (or "ERROR: Unable to open file", depending on the configuration). >From the reading I

[ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

Hello Kevin Following this document http://ossec-docs.readthedocs.io/en/latest/manual/monitoring/ you'll be able to read the multiple lines of sysmon events. *Allowed:* multi-line: NUMBER Hope it helps, Best regards, Alberto R. -- --- You received this message because you are

[ossec-list] Re: Windows EventChannel (sysmon): Not getting full line in archives.log

So, I did find my problem, sort-of. The log is coming through in multiline format, so when I grepped for "sysmon", I only got the first line and missed all of the good info. I am using ossec in Alienvault, so that may complicate things a bit. I know that what I need to do is to force ossec