The log from the windows macines (VNC login) is attached. My point is, there is currently no rule for VNC, the any logs are probably going to point to nothing at this point. I need assistance creating a rule right?
If I am to turn on all logs feature for the OSSEC server I will research that as I have never heard of it. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 14, 2013 10:58 AM To: [email protected] Subject: Re: [ossec-list] VNC Windows Server Alerts On Sun, Oct 13, 2013 at 9:05 AM, Gary White <[email protected]> wrote: > VNC is installed on my windows machine. I have ossec server installed > on a Linux machine with agents installed on my workstations. I need > to be alerted when someone remotes to my windows machine using VNC. > The alert event ID 1 shows in the application logs. Is there a rule like VNC.xml for ossec? > > I cannot seem to get this event to trigger. Pease see attached. > > localrules.xml > > <!-- VNC Login --> > <rule id="100036" level="11"> > <id>^1|^2</id> > <match>Connection received from</match> > <group>syslog,</group> > <description>VNC Login</description> > </rule> > </group> <!--SYSLOG,LOCAL --> > Turn on the log all option on the server and trigger the log message. That way we'll have a copy of the log to work with. > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
