Hi, I've got OSSEC agent v2.9.0 running on some Windows servers and clients of various versions and receive the default alerts through a Security Onion server. All is well from the defaults, but I'd like to be alerted on Successful authentication, not just failed attempts. This would apply to SSH, RDP, FTP, HTTP, etc. I have spent a bit of time reading how-to docs and forums to try to figure out what I need to do, but so far I've yet to get the specifics I'm looking for. I know that Windows logs are generally a mess, and I'm pretty sure I need to define what I want in the ossec.conf file on each agent, but I don't know exactly what to add to get my desired result. I've read many forum posts that are asking this same basic question and have yet to see a definite answer or how-to. Can someone please define what I need to do to accomplish this?
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
