[ossec-list] RDP Alerts / msauth.xml

Mon, 07 Oct 2013 15:34:18 -0700 

I have edited the msauth file so that I get an email alert when I or anyone 
remote desktops into my windows machine. However I get several PCname$ 
alerts as well and I think I need to <match> </match> another rule to 
filter the unwanted logs out? here is what I have done:
 
 <!-- Filter This Out -->
  <rule id="18159" level="1">
   <category>windows</category>
   <if_sid>18104</if_sid>
   <match>Athlon$</match>
   <description>Remote access login success.</description>
  </rule>
 
 
 <!-- RDP Access Alert Working Fine -->
  <rule id="18160" level="8">
   <if_sid>18104</if_sid>
   <id>^682|^4778|^4624</id>
   <description>Remote Desktop Connection Established</description>
   <group>authentication_success</group>
  </rule>
</group>
<!-- EOF -->
The 4778 event ID is for when someone has logged back into an already 
established session, this works fine. What I also want is when someone logs 
on creating a new RDP session (4624) however that also generates this email:
 
 

OSSEC HIDS Notification.

2013 Oct 07 11:52:39

 

Received From: (Athlon) 10.1.1.11->WinEvtLog

Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"

Portion of the log(s):

 

WinEvtLog: Security: AUDIT_SUCCESS(4624): 
Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN: 
ATHLON.mydomain.local: An account was successfully logged on. Subject:  
Security 
ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon 
Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  ATHLON$  Account 
Domain:  MYDOMAIN  Logon ID:  0x839f215b  Logon GUID:  
{666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process ID:  
0x0  Process Name:  -  Network Information:  Workstation Name:   Source 
Network Address: ::1  Source Port:  0  Detailed Authentication Information:  
Logon Process:  Kerberos  Authentication Package: Kerberos  Transited 
Services: -  Package Name (NTLM only): -  Key Length:  0  This event is 
generated when a logon session is created. It is generated on the computer 
that was accessed. 

 

If anyone can point me in the right direction that would be great thanks. 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to