Hello,
On ossec 2.8.3 I am trying to get alerts only for rdp autentications alerts
from windows agents.
These events are shown in the event log
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
for example with eventID 1149
I have in my windows agents conf file
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
---------
on the server in my local_rules.xml
I have
<group name="rdesktop">
<rule id="100888" level="1">
<match>Remote Desktop Services</match>
<description>Remote Desktop Connection Established</description>
</rule>
</group>
I get no messages from the remote client
(that sends alerts if I use <location>Security</location> )
I see some traffic from client to server with tcpdump if I generate 1149
logon events
But no evidence even with
<logall>yes</logall> in ossec server.
Anyone can share some insight?
Many thanks
g.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
