Hello, On ossec 2.8.3 I am trying to get alerts only for rdp autentications alerts from windows agents. These events are shown in the event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational for example with eventID 1149
I have in my windows agents conf file <localfile> <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location> <log_format>eventchannel</log_format> </localfile> --------- on the server in my local_rules.xml I have <group name="rdesktop"> <rule id="100888" level="1"> <match>Remote Desktop Services</match> <description>Remote Desktop Connection Established</description> </rule> </group> I get no messages from the remote client (that sends alerts if I use <location>Security</location> ) I see some traffic from client to server with tcpdump if I generate 1149 logon events But no evidence even with <logall>yes</logall> in ossec server. Anyone can share some insight? Many thanks g. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.