Sysmon logs are not getting ingested and I m using version 3.9

[Blason R]

Hi Guys,

I am using ELK 6.7.2 and able to ingest Security events however I am trying for Sysmon logs and those are not able to get into Wazuh.

I am using below repository and simple sysmon codes from Wazuh blog. Can someone please help?

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log_format>eventchannel</log_format>

</localfile>




https://github.com/sametsazak/sysmon


Thanks and Regards,

Blason R







[Cristina Garrido López]

Hi Blason R,

Can you verify if you are receiving Sysmon events at the Windows Event Viewer? See if they are generated at the Sysmon section which is located at Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. If you have followed the Wazuh blog, whenever you launch a Powershell, you should get a Sysmon creation event.

Best regards,

Cristina

[Blason R]

Yes, logs are appearing in Sysmon Eventviewer however those are not getting transferred in ELK. Even tried opening powershell bu dang :(

I heard/read somehwere that 3.9.0 follows a different schema for Sysmon which is not compatible with the rules provided; not sure though.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65dbaa26-4a7e-42c3-a49f-231a300a5079%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Cristina Garrido López]

Hello Blason,

Sysmon rules have changed for version 3.9 as they were not working correctly, now they are. I am trying to reproduce your issue, could you paste your sysconfig.xml file from Sysmon? Are the rules being recorded at the /var/ossec/logs/archives/archives.log? Check that the alert level of the generic Sysmon rules is 0, if you need some of them to be alerted, you should increment this value or create new ones that pend from the generic ones.

Best regards,

Cristina

On Tuesday, May 14, 2019 at 8:53:23 AM UTC+2, Blason R wrote:

Yes, logs are appearing in Sysmon Eventviewer however those are not getting transferred in ELK. Even tried opening powershell bu dang :(

I heard/read somehwere that 3.9.0 follows a different schema for Sysmon which is not compatible with the rules provided; not sure though.

On Tue, May 14, 2019 at 11:52 AM Cristina Garrido López <cris...@wazuh.com> wrote:

Hi Blason R,

Can you verify if you are receiving Sysmon events at the Windows Event Viewer? See if they are generated at the Sysmon section which is located at Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. If you have followed the Wazuh blog, whenever you launch a Powershell, you should get a Sysmon creation event.

Best regards,

Cristina

On Tuesday, May 14, 2019 at 5:48:45 AM UTC+2, Blason R wrote:

Hi Guys,

I am using ELK 6.7.2 and able to ingest Security events however I am trying for Sysmon logs and those are not able to get into Wazuh.

I am using below repository and simple sysmon codes from Wazuh blog. Can someone please help?

<localfile>

<location>Microsoft-Windows-Sysmon/Operational</location>

<log_format>eventchannel</log_format>

</localfile>




https://github.com/sametsazak/sysmon


Thanks and Regards,

Blason R







--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

You can get the Sysmon file from

https://github.com/sametsazak/sysmon

I have configured the Wazuh thrice and I am sure there is the issue or not sure if I am making any mistakes.

And nopt the logs are not being recorded at archives.log

Check that the alert level of the generic Sysmon rules is 0

Where is this setting?

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65dbaa26-4a7e-42c3-a49f-231a300a5079%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e360b132-c692-408f-9757-3c5f1a663b2f%40googlegroups.com.

[Cristina Garrido López]

Hello Blason,

To find out what is happening, I would like you to try another configuration file for Sysmon simpler than the one from that repository. Please follow the installation and configuration steps from the Wazuh blog. This configuration generates an event each time a Powershell is launched. To uninstall Sysmon, run the next command: Sysmon64.exe -u. Also notice that this post is deprecated, but the configuration steps for Sysmon are the same.


Once you have configured Sysmon with that configuration file, add the localfile block with Microsoft-Windows-Sysmon/Operational as the location field and restart the agent to make sure the changes have been added. Then, launch a Powershell and see if the event is recorded at the Sysmon section of the Event Viewer and at the archives.log from the manager.




Kind regards,

Cristina





[Blason R]

HI there,

Any particular sysmon config file you have; since I was using SwiftOnSecurity config or let me use the default one which is provided.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.

[Blason R]

The funny thing is I can see the events are generated on System but those are not at all being transported to Wazuh-Manager.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.

[Cristina Garrido López]

Hi Blason,

Then, your manager isn't receiving any of the logs from your agent? Is there anything recorded at your archives.log file? (set to yes the logall and logall_json options from the ossec.conf file).

Making some tests, I have seen that if you install Sysmon after configuring and restarting the agent, you won't get any of the Sysmon logs recorded at the Event Viewer, it is necessary to restart again the agent so that it can check the new Sysmon logs.

Please tell me if you followed the right steps and if you are getting any logs at the archives.log file.

Kind regards,

Cristina

On Tuesday, May 14, 2019 at 3:18:44 PM UTC+2, Blason R wrote:

The funny thing is I can see the events are generated on System but those are not at all being transported to Wazuh-Manager.

On Tue, May 14, 2019 at 4:13 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

To find out what is happening, I would like you to try another configuration file for Sysmon simpler than the one from that repository. Please follow the installation and configuration steps from the Wazuh blog. This configuration generates an event each time a Powershell is launched. To uninstall Sysmon, run the next command: Sysmon64.exe -u. Also notice that this post is deprecated, but the configuration steps for Sysmon are the same.


Once you have configured Sysmon with that configuration file, add the localfile block with Microsoft-Windows-Sysmon/Operational as the location field and restart the agent to make sure the changes have been added. Then, launch a Powershell and see if the event is recorded at the Sysmon section of the Event Viewer and at the archives.log from the manager.




Kind regards,

Cristina





--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

Well, Yes I followed the proper step and yes I installed sysmon later but then I restarted the service numerous times but still no luck.

Any ways let me see log_all option.

Thanks for helping out.

On Tue, May 14, 2019 at 7:16 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hi Blason,

Then, your manager isn't receiving any of the logs from your agent? Is there anything recorded at your archives.log file? (set to yes the logall and logall_json options from the ossec.conf file).

Making some tests, I have seen that if you install Sysmon after configuring and restarting the agent, you won't get any of the Sysmon logs recorded at the Event Viewer, it is necessary to restart again the agent so that it can check the new Sysmon logs.

Please tell me if you followed the right steps and if you are getting any logs at the archives.log file.

Kind regards,

Cristina

On Tuesday, May 14, 2019 at 3:18:44 PM UTC+2, Blason R wrote:

The funny thing is I can see the events are generated on System but those are not at all being transported to Wazuh-Manager.

On Tue, May 14, 2019 at 4:13 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

To find out what is happening, I would like you to try another configuration file for Sysmon simpler than the one from that repository. Please follow the installation and configuration steps from the Wazuh blog. This configuration generates an event each time a Powershell is launched. To uninstall Sysmon, run the next command: Sysmon64.exe -u. Also notice that this post is deprecated, but the configuration steps for Sysmon are the same.


Once you have configured Sysmon with that configuration file, add the localfile block with Microsoft-Windows-Sysmon/Operational as the location field and restart the agent to make sure the changes have been added. Then, launch a Powershell and see if the event is recorded at the Sysmon section of the Event Viewer and at the archives.log from the manager.




Kind regards,

Cristina





--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65031521-dcca-4f57-9618-9b9d4e5898e7%40googlegroups.com.

[Cristina Garrido López]

Hello Blason,

Are you using version 3.9 in both, manager and agent? Yes, please, tell me about the logall option, you should enable it to get every Sysmon event at the archives.log.

Regards,

Cristina

On Tuesday, May 14, 2019 at 7:44:25 PM UTC+2, Blason R wrote:

Well, Yes I followed the proper step and yes I installed sysmon later but then I restarted the service numerous times but still no luck.

Any ways let me see log_all option.

Thanks for helping out.

On Tue, May 14, 2019 at 7:16 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hi Blason,

Then, your manager isn't receiving any of the logs from your agent? Is there anything recorded at your archives.log file? (set to yes the logall and logall_json options from the ossec.conf file).

Making some tests, I have seen that if you install Sysmon after configuring and restarting the agent, you won't get any of the Sysmon logs recorded at the Event Viewer, it is necessary to restart again the agent so that it can check the new Sysmon logs.

Please tell me if you followed the right steps and if you are getting any logs at the archives.log file.

Kind regards,

Cristina

On Tuesday, May 14, 2019 at 3:18:44 PM UTC+2, Blason R wrote:

The funny thing is I can see the events are generated on System but those are not at all being transported to Wazuh-Manager.

On Tue, May 14, 2019 at 4:13 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

To find out what is happening, I would like you to try another configuration file for Sysmon simpler than the one from that repository. Please follow the installation and configuration steps from the Wazuh blog. This configuration generates an event each time a Powershell is launched. To uninstall Sysmon, run the next command: Sysmon64.exe -u. Also notice that this post is deprecated, but the configuration steps for Sysmon are the same.


Once you have configured Sysmon with that configuration file, add the localfile block with Microsoft-Windows-Sysmon/Operational as the location field and restart the agent to make sure the changes have been added. Then, launch a Powershell and see if the event is recorded at the Sysmon section of the Event Viewer and at the archives.log from the manager.




Kind regards,

Cristina





--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

I have not tried that option but will be doing this today!!

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65031521-dcca-4f57-9618-9b9d4e5898e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d36e1ad-3f9a-4b38-9539-37fba8da1fd6%40googlegroups.com.

[Cristina Garrido López]

Perfect Blason, let me know if you get the expected results when you try this.

Best regards,

Cristina

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65031521-dcca-4f57-9618-9b9d4e5898e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

Nah, still the same. Here is my config.

Can you suggest; I am running out of ideas here.

<ossec_config>
<global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
</global>
  <client>
    <server>
      <address>192.168.5.35</address>
      <port>1514</port>
      <protocol>udp</protocol>
    </server>
    <crypto_method>aes</crypto_method>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
  </client>

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0c9a7f16-f6ef-43c0-8d6d-c3cb36d278bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/65031521-dcca-4f57-9618-9b9d4e5898e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6d36e1ad-3f9a-4b38-9539-37fba8da1fd6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1232a0e4-147a-463e-9ce5-acd6da9f8e23%40googlegroups.com.

[Cristina Garrido López]

Hello Blason,

As you are not getting any logs at the archives.log file, could you tell me your Windows version so that I can reproduce your exact same issue?

Kind regards,

Cristina

[Blason R]

Hi there,

I tried it with Windows 7 and Windows 10 from the developer edition distributed by Microsoft. This is really surprising isnt it? I followed your article which is posted on 17th May and dang no results.

By the way there is a small typo in that article :)

locafile should have been localfile

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cf455f3a-f551-416e-a98c-ca2713a1b4d7%40googlegroups.com.

[Cristina Garrido López]

Hi Blason,

I have tried, but I cannot reproduce it. A couple of questions:

- At the agent side, in the ossec.log file, can you check if you have received the message 'Analyzing event log: 'Microsoft-Windows-Sysmon/Operational''?

- At the manager side, in the ossec.log file, do you have any warnings when generating Sysmon events at the agent?

Thank you for reporting the typo! I appreciate that.

Kind regards,

Cristina

On Monday, May 20, 2019 at 3:38:47 PM UTC+2, Blason R wrote:

Hi there,

I tried it with Windows 7 and Windows 10 from the developer edition distributed by Microsoft. This is really surprising isnt it? I followed your article which is posted on 17th May and dang no results.

By the way there is a small typo in that article :)

locafile should have been localfile

On Mon, May 20, 2019 at 11:49 AM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

As you are not getting any logs at the archives.log file, could you tell me your Windows version so that I can reproduce your exact same issue?

Kind regards,

Cristina

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

Surely and thanks.

I now tried with 3.8.2 and received the messages properly.

Let me check what you have suggested.

On Tue, May 21, 2019 at 2:04 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hi Blason,

I have tried, but I cannot reproduce it. A couple of questions:

- At the agent side, in the ossec.log file, can you check if you have received the message 'Analyzing event log: 'Microsoft-Windows-Sysmon/Operational''?

- At the manager side, in the ossec.log file, do you have any warnings when generating Sysmon events at the agent?

Thank you for reporting the typo! I appreciate that.

Kind regards,

Cristina

On Monday, May 20, 2019 at 3:38:47 PM UTC+2, Blason R wrote:

Hi there,

I tried it with Windows 7 and Windows 10 from the developer edition distributed by Microsoft. This is really surprising isnt it? I followed your article which is posted on 17th May and dang no results.

By the way there is a small typo in that article :)

locafile should have been localfile

On Mon, May 20, 2019 at 11:49 AM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

As you are not getting any logs at the archives.log file, could you tell me your Windows version so that I can reproduce your exact same issue?

Kind regards,

Cristina

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cf455f3a-f551-416e-a98c-ca2713a1b4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d21c2b32-4ae9-490a-9a25-657100bb3705%40googlegroups.com.

[Cristina Garrido López]

Hi Blason,

I was wondering if you could solve your problem and if you could check what I suggested. If not, remember that you can contact us so that we can help with any doubt you may have.

Kind regards,

Cristina

On Tuesday, May 21, 2019 at 11:07:39 AM UTC+2, Blason R wrote:

Surely and thanks.

I now tried with 3.8.2 and received the messages properly.

Let me check what you have suggested.

On Tue, May 21, 2019 at 2:04 PM Cristina Garrido López <cris...@wazuh.com> wrote:

Hi Blason,

I have tried, but I cannot reproduce it. A couple of questions:

- At the agent side, in the ossec.log file, can you check if you have received the message 'Analyzing event log: 'Microsoft-Windows-Sysmon/Operational''?

- At the manager side, in the ossec.log file, do you have any warnings when generating Sysmon events at the agent?

Thank you for reporting the typo! I appreciate that.

Kind regards,

Cristina

On Monday, May 20, 2019 at 3:38:47 PM UTC+2, Blason R wrote:

Hi there,

I tried it with Windows 7 and Windows 10 from the developer edition distributed by Microsoft. This is really surprising isnt it? I followed your article which is posted on 17th May and dang no results.

By the way there is a small typo in that article :)

locafile should have been localfile

On Mon, May 20, 2019 at 11:49 AM Cristina Garrido López <cris...@wazuh.com> wrote:

Hello Blason,

As you are not getting any logs at the archives.log file, could you tell me your Windows version so that I can reproduce your exact same issue?

Kind regards,

Cristina

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cf455f3a-f551-416e-a98c-ca2713a1b4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Blason R]

Nope Cristina and I dropped the idea and went back with 3.8.2 where parsing is proper. Though I am still interested in 3.9 and Sysmon especially.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cf455f3a-f551-416e-a98c-ca2713a1b4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d21c2b32-4ae9-490a-9a25-657100bb3705%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7db8629d-175f-42ae-b0bd-82b44846d04f%40googlegroups.com.

[Cristina Garrido López]

 Hi Blason,

I keep trying to reproduce this issue and keeping in mind all the information you gave me, the only thing that seems logical to me is that the agent is not connected to your manager. Is it possible that your agent may have stopped for some reason? Are you getting any warnings or errors at the ossec.log file from the agent or the manager? Please let us know this information and let's see if we can solve this issue as soon as possible.

Kind regards,

Cristina