This has been resolved using a <match>Microsft-Security-Auditing: machinename$: domainname: machinename.domainname.local</match>
<match>Microsoft-windows-security-Auditing: SYSTEM: NT AUTHORITY</match> I just wanted to post the match rule that is needed to filter out the noise. I now get legit RDP logins alerted thanks. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, October 10, 2013 10:19 AM To: [email protected] Subject: Re: [ossec-list] Re: RDP Alerts / msauth.xml On Wed, Oct 9, 2013 at 8:01 PM, Forums <[email protected]> wrote: > Log Samples: > > The logs I want emailed: > > OSSEC HIDS Notification. > > 2013 Oct 09 18:21:45 > > > > Received From: (Athlon) 10.1.1.11->WinEvtLog > > Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established" > > Portion of the log(s): > > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: razzle: MyDomain: > ATHLON.MyDomain.local: An account was successfully logged on. Subject: > Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 > Logon Type: 3 New Logon: Security ID: > S-1-5-21-3105247609-3095833174-255621157-500 Account Name: razzle > Account > Domain: MyDomain Logon ID: 0x85a0bdd3 Logon GUID: > {00000000-0000-0000-0000-000000000000} Process Information: Process ID: > 0x0 Process Name: - Network Information: Workstation Name: BEAST > Source Network Address: - Source Port: - Detailed Authentication Information: > Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: > - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is > generated when a logon session is created. It is generated on the > computer that was accessed. > > > > > > > > The Email I DON'T want: > > > > Received From: (Athlon) 10.1.1.11->WinEvtLog > > Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established" > > Portion of the log(s): > > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: ATHLON$: MyDomain: > ATHLON.MyDomain.local: An account was successfully logged on. Subject: > Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 > Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$ > Account Domain: MyDomain Logon ID: 0x839f215b Logon GUID: > {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID: > 0x0 Process Name: - Network Information: Workstation Name: Source > Network Address: ::1 Source Port: 0 Detailed Authentication Information: > Logon Process: Kerberos Authentication Package: Kerberos Transited > Services: - Package Name (NTLM only): - Key Length: 0 This event > is generated when a logon session is created. It is generated on the > computer that was accessed. > These logs do not match 18104 for me. I'm not sure what is different between my setup and yours. Looking back at previous rules you've posted, I noticed that they contain nonsensical things like: <regex>Account Name:ATHLON</regex> First, there's no regex in that atement. Second, there are spaces in the log message between "Name:" and "ATHLON." Those spaces should be represented here. Try cleaning up the rules a bit, and use the proper spacing. See if that helps. > > > > > I get 10 emails a day letting me know the machine account: ATHLON$ has > logged on. > > > > > > > > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Wednesday, October 09, 2013 7:45 PM > > > To: [email protected] > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml > > > > > On Oct 9, 2013 7:43 PM, "Forums" <[email protected]> wrote: >> >> Currently I am using the rules in the localrules file as you see the >> msauth are commented out. Both work for RDP logins however as I said >> I get a lot of noise. >> > > Still no log samples? Ok, good luck! > >> >> >> LocalRules.xml >> >> <!-- Filter Workstation$ Logon --> >> >> <rule id="100031" level="0"> >> >> <if_sid>18104</if_sid> >> >> <match>SYSTEM: NT AUTHORITY:</match> >> >> <description>Dont Log this</description> >> >> </rule> >> >> >> >> <!-- Remote Desktop Connection --> >> >> <rule id="100032" level="11"> >> >> <if_sid>18104</if_sid> >> >> <id>^4624|^4778|^1149</id> >> >> <description>Remote Desktop Connection Established</description> >> >> </rule> >> >> </group> <!-- SYSLOG,LOCAL --> >> >> >> >> Msauth.xml >> >> <!-- Filter RDP ATHLON$ >> >> <rule id="18159" level="0"> >> >> <if_sid>18104</if_sid> >> >> <regex>Account Name:ATHLON</regex> >> >> <id>4624</id> >> >> <group>authentication_success,</group> >> >> <description>Remote access login success.</description> >> >> </rule> --> >> >> >> >> <!-- Filter RDP ATHLON$ >> >> <rule id="18160" level="0"> >> >> <if_sid>18105</if_sid> >> >> <regex>Account Name:ATHLON</regex> >> >> <id>4624</id> >> >> <description>Windows Logon Success,</description> >> >> <group>authentication_success,</group> >> >> </rule> --> >> >> >> >> <!-- RDP Access >> >> <rule id="18161" level="8"> >> >> <if_sid>18104</if_sid> >> >> <id>^682|^4778|^4624</id> >> >> <description>Remote Desktop Connection Established</description> >> >> <group>authentication_success,</group> >> >> </rule> --> >> >> </group> >> >> <!-- EOF --> >> >> >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of dan (ddp) >> Sent: Wednesday, October 09, 2013 6:08 PM >> >> To: [email protected] >> Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml >> >> >> >> >> On Oct 9, 2013 6:06 PM, "Forums" <[email protected]> wrote: >> > >> > Even the code below still generates the email (noise) that I don't >> > want to see. I want to see an actual RDP logon from another person, >> > which is working. What I don't want is the actual machine$ account >> > emailing me machine connections. >> > >> >> Perhapa if we had samples of both kinds of logs it would be easier to >> help. >> >> > >> > >> > From: [email protected] >> > [mailto:[email protected]] >> > On Behalf Of Forums >> > Sent: Tuesday, October 08, 2013 9:58 AM >> > To: [email protected] >> > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml >> > >> > >> > >> > Does it matter that you have it in the local_rules and not the msauth? >> > Also are you getting the noise that I am talking about? Thanks. >> > >> > >> > >> > From: [email protected] >> > [mailto:[email protected]] >> > On Behalf Of Derek Morris >> > Sent: Tuesday, October 08, 2013 7:47 AM >> > To: [email protected] >> > Subject: [ossec-list] Re: RDP Alerts / msauth.xml >> > >> > >> > >> > In my local_rules.xml I have these entries, not sure if they will help: >> > >> > >> > >> > <rule id="100888" level="11"> >> > >> > <if_sid>18104</if_sid> >> > >> > <id>^682|^4778|^1149</id> >> > >> > <description>Remote Desktop Connection >> > Established</description> >> > >> > <group>sysadmin,</group> >> > >> > </rule> >> > >> > >> > >> > <rule id="100999" level="11"> >> > >> > <if_sid>18104</if_sid> >> > >> > <id>^683|^4779</id> >> > >> > <description>Remote Desktop Connection >> > Disconnected</description> >> > >> > <group>sysadmin,</group> >> > >> > </rule> >> > >> > >> > >> > >> > On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote: >> > >> > I have edited the msauth file so that I get an email alert when I >> > or anyone remote desktops into my windows machine. However I get >> > several PCname$ alerts as well and I think I need to <match> >> > </match> another rule to filter the unwanted logs out? here is what I have done: >> > >> > >> > >> > <!-- Filter This Out --> >> > <rule id="18159" level="1"> >> > <category>windows</category> >> > <if_sid>18104</if_sid> >> > <match>Athlon$</match> >> > <description>Remote access login success.</description> >> > </rule> >> > >> > >> > >> > >> > >> > <!-- RDP Access Alert Working Fine --> >> > <rule id="18160" level="8"> >> > <if_sid>18104</if_sid> >> > <id>^682|^4778|^4624</id> >> > <description>Remote Desktop Connection Established</description> >> > <group>authentication_success</group> >> > </rule> >> > </group> >> > <!-- EOF --> >> > >> > The 4778 event ID is for when someone has logged back into an >> > already established session, this works fine. What I also want is >> > when someone logs on creating a new RDP session (4624) however that also generates this email: >> > >> > >> > >> > >> > >> > OSSEC HIDS Notification. >> > >> > 2013 Oct 07 11:52:39 >> > >> > >> > >> > Received From: (Athlon) 10.1.1.11->WinEvtLog >> > >> > Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established" >> > >> > Portion of the log(s): >> > >> > >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(4624): >> > Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN: >> > ATHLON.mydomain.local: An account was successfully logged on. Subject: >> > Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 >> > Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$ >> > Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID: >> > {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID: >> > 0x0 Process Name: - Network Information: Workstation Name: Source >> > Network Address: ::1 Source Port: 0 Detailed Authentication Information: >> > Logon Process: Kerberos Authentication Package: Kerberos >> > Transited >> > Services: - Package Name (NTLM only): - Key Length: 0 This >> > event is generated when a logon session is created. It is generated >> > on the computer that was accessed. >> > >> > >> > >> > If anyone can point me in the right direction that would be great >> > thanks. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, >> > send an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, >> > send an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, >> > send an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
