On Sun, Oct 13, 2013 at 9:05 AM, Gary White <[email protected]> wrote: > VNC is installed on my windows machine. I have ossec server installed on a > Linux machine with agents installed on my workstations. I need to be alerted > when someone remotes to my windows machine using VNC. The alert event ID 1 > shows in the application logs. Is there a rule like VNC.xml for ossec? > > I cannot seem to get this event to trigger. Pease see attached. > > localrules.xml > > <!-- VNC Login --> > <rule id="100036" level="11"> > <id>^1|^2</id> > <match>Connection received from</match> > <group>syslog,</group> > <description>VNC Login</description> > </rule> > </group> <!--SYSLOG,LOCAL --> >
Turn on the log all option on the server and trigger the log message. That way we'll have a copy of the log to work with. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
