MultiSearch Feature not logging to event log as multisearh

ceramicskate0 / SWELF

Simple Windows Event Log Forwarder (SWELF). Its easy to use/simply works Log Forwarder and EVTX Parser. Almost in full release here at https://github.com/ceramicskate0/SWELF/releases/latest.

https://ceramicskate0.github.io/SWELF/

GNU Affero General Public License v3.0

24 stars 7 forks source link

MultiSearch Feature not logging to event log as multisearh #126

Open ceramicskate0 opened 4 years ago

ceramicskate0 commented 4 years ago

Example: search_multiple:C:\Windows\explorer.exe`Integritylevel: system~Microsoft-Windows-Sysmon/Operational~1 show as ONLY "C:\Windows\explorer.exe" in debug function under "Search_Rule".

Possible is in function to do multiSearch.

ceramicskate0 commented 4 years ago

might be cause of event logs that have more than 1 search rule in the EventData area