On Mon, Oct 7, 2013 at 6:24 PM, Gary White <[email protected]> wrote: > I have edited the msauth file so that I get an email alert when I or anyone > remote desktops into my windows machine. However I get several PCname$ > alerts as well and I think I need to <match> </match> another rule to filter > the unwanted logs out? here is what I have done: > > <!-- Filter This Out --> > <rule id="18159" level="1"> > <category>windows</category> > <if_sid>18104</if_sid> > <match>Athlon$</match> > <description>Remote access login success.</description> > </rule> > > > <!-- RDP Access Alert Working Fine --> > <rule id="18160" level="8"> > <if_sid>18104</if_sid> > <id>^682|^4778|^4624</id> > <description>Remote Desktop Connection Established</description> > <group>authentication_success</group> > </rule> > </group> > <!-- EOF --> > The 4778 event ID is for when someone has logged back into an already > established session, this works fine. What I also want is when someone logs > on creating a new RDP session (4624) however that also generates this email: > > > > OSSEC HIDS Notification. > > 2013 Oct 07 11:52:39 > > > > Received From: (Athlon) 10.1.1.11->WinEvtLog > > Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established" > > Portion of the log(s): > > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN: > ATHLON.mydomain.local: An account was successfully logged on. Subject: > Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 > Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$ > Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID: > {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID: > 0x0 Process Name: - Network Information: Workstation Name: Source > Network Address: ::1 Source Port: 0 Detailed Authentication Information: > Logon Process: Kerberos Authentication Package: Kerberos Transited > Services: - Package Name (NTLM only): - Key Length: 0 This event is > generated when a logon session is created. It is generated on the computer > that was accessed. > > > > If anyone can point me in the right direction that would be great thanks. >
Is this a log sample of what you want to see, or what you don't want to see? Can you provide a sample of both please? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
