On Oct 9, 2013 7:43 PM, "Forums" <[email protected]> wrote: > > Currently I am using the rules in the localrules file as you see the msauth are commented out. Both work for RDP logins however as I said I get a lot of noise. >
Still no log samples? Ok, good luck! > > > LocalRules.xml > > <!-- Filter Workstation$ Logon --> > > <rule id="100031" level="0"> > > <if_sid>18104</if_sid> > > <match>SYSTEM: NT AUTHORITY:</match> > > <description>Dont Log this</description> > > </rule> > > > > <!-- Remote Desktop Connection --> > > <rule id="100032" level="11"> > > <if_sid>18104</if_sid> > > <id>^4624|^4778|^1149</id> > > <description>Remote Desktop Connection Established</description> > > </rule> > > </group> <!-- SYSLOG,LOCAL --> > > > > Msauth.xml > > <!-- Filter RDP ATHLON$ > > <rule id="18159" level="0"> > > <if_sid>18104</if_sid> > > <regex>Account Name:ATHLON</regex> > > <id>4624</id> > > <group>authentication_success,</group> > > <description>Remote access login success.</description> > > </rule> --> > > > > <!-- Filter RDP ATHLON$ > > <rule id="18160" level="0"> > > <if_sid>18105</if_sid> > > <regex>Account Name:ATHLON</regex> > > <id>4624</id> > > <description>Windows Logon Success,</description> > > <group>authentication_success,</group> > > </rule> --> > > > > <!-- RDP Access > > <rule id="18161" level="8"> > > <if_sid>18104</if_sid> > > <id>^682|^4778|^4624</id> > > <description>Remote Desktop Connection Established</description> > > <group>authentication_success,</group> > > </rule> --> > > </group> > > <!-- EOF --> > > > > From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) > Sent: Wednesday, October 09, 2013 6:08 PM > > To: [email protected] > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml > > > > > On Oct 9, 2013 6:06 PM, "Forums" <[email protected]> wrote: > > > > Even the code below still generates the email (noise) that I don’t want to see. I want to see an actual RDP logon from another person, which is working. What I don’t want is the actual machine$ account emailing me machine connections. > > > > Perhapa if we had samples of both kinds of logs it would be easier to help. > > > > > > > From: [email protected] [mailto:[email protected]] On Behalf Of Forums > > Sent: Tuesday, October 08, 2013 9:58 AM > > To: [email protected] > > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml > > > > > > > > Does it matter that you have it in the local_rules and not the msauth? Also are you getting the noise that I am talking about? Thanks. > > > > > > > > From: [email protected] [mailto:[email protected]] On Behalf Of Derek Morris > > Sent: Tuesday, October 08, 2013 7:47 AM > > To: [email protected] > > Subject: [ossec-list] Re: RDP Alerts / msauth.xml > > > > > > > > In my local_rules.xml I have these entries, not sure if they will help: > > > > > > > > <rule id="100888" level="11"> > > > > <if_sid>18104</if_sid> > > > > <id>^682|^4778|^1149</id> > > > > <description>Remote Desktop Connection Established</description> > > > > <group>sysadmin,</group> > > > > </rule> > > > > > > > > <rule id="100999" level="11"> > > > > <if_sid>18104</if_sid> > > > > <id>^683|^4779</id> > > > > <description>Remote Desktop Connection Disconnected</description> > > > > <group>sysadmin,</group> > > > > </rule> > > > > > > > > > > On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote: > > > > I have edited the msauth file so that I get an email alert when I or anyone remote desktops into my windows machine. However I get several PCname$ alerts as well and I think I need to <match> </match> another rule to filter the unwanted logs out? here is what I have done: > > > > > > > > <!-- Filter This Out --> > > <rule id="18159" level="1"> > > <category>windows</category> > > <if_sid>18104</if_sid> > > <match>Athlon$</match> > > <description>Remote access login success.</description> > > </rule> > > > > > > > > > > > > <!-- RDP Access Alert Working Fine --> > > <rule id="18160" level="8"> > > <if_sid>18104</if_sid> > > <id>^682|^4778|^4624</id> > > <description>Remote Desktop Connection Established</description> > > <group>authentication_success</group> > > </rule> > > </group> > > <!-- EOF --> > > > > The 4778 event ID is for when someone has logged back into an already established session, this works fine. What I also want is when someone logs on creating a new RDP session (4624) however that also generates this email: > > > > > > > > > > > > OSSEC HIDS Notification. > > > > 2013 Oct 07 11:52:39 > > > > > > > > Received From: (Athlon) 10.1.1.11->WinEvtLog > > > > Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established" > > > > Portion of the log(s): > > > > > > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN: ATHLON.mydomain.local: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$ Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID: {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. > > > > > > > > If anyone can point me in the right direction that would be great thanks. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
