Set a custom Alert variable output. You can do this in the global config on the OSSEC server receiving the logs, once the rules match and you get an ALERT you will have the same output over and over.
Make sense? On Tuesday, November 18, 2014 7:55:55 AM UTC-5, DefensiveDepth wrote: > > I have an OSSEC agent monitoring some Windows eventlogs through the > eventchannel config and then sending them to the OSSEC manager and > archiving them. The SIEM is then parsing the archive and indexing the logs. > Unfortunately, these eventlogs are multiline, and the SIEM that is being > used is having issues with multiline logs.... Is there any way to have > OSSEC convert/strip out the new lines from the logs as it processes them > and sends them to the manager? > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
