Thanks Alberto, I did try using eventchannel, multi-line (with location of
microsoft-windows-sysmon/operational, and the path to the evtx file), and
eventlog, but I still get multiple line output in alerts.log (or "ERROR:
Unable to open file", depending on the configuration).
>From the reading I h
I also get these alerts periodically. Running 'ps' afterwards doesn't ever
find anything... rather frustrating.
Is there another way to figure out what app/code is triggering them? Would
be great if ossec could capture more about the process when it's
encountered.
{ "rule": { "level": 7, "comm
Well, the version makes all the difference. I set up a test system with
server version 2.91, and agent version 2.90, and everything works nicely.
Now to convince Alienvault to update their product...
On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil
wrote:
> Thanks Alberto, I did try using eventchann