On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: > > The log from the windows macines (VNC login) is attached. My point is, there
Sorry about that, I must have missed it. All I saw was an absolutely useless screen shot of event viewer. I'll take another look after lunch. > is currently no rule for VNC, the any logs are probably going to point to > nothing at this point. I need assistance creating a rule right? > > If I am to turn on all logs feature for the OSSEC server I will research > that as I have never heard of it. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, October 14, 2013 10:58 AM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Sun, Oct 13, 2013 at 9:05 AM, Gary White <[email protected]> wrote: > > VNC is installed on my windows machine. I have ossec server installed > > on a Linux machine with agents installed on my workstations. I need > > to be alerted when someone remotes to my windows machine using VNC. > > The alert event ID 1 shows in the application logs. Is there a rule like > VNC.xml for ossec? > > > > I cannot seem to get this event to trigger. Pease see attached. > > > > localrules.xml > > > > <!-- VNC Login --> > > <rule id="100036" level="11"> > > <id>^1|^2</id> > > <match>Connection received from</match> > > <group>syslog,</group> > > <description>VNC Login</description> > > </rule> > > </group> <!--SYSLOG,LOCAL --> > > > > Turn on the log all option on the server and trigger the log message. > That way we'll have a copy of the log to work with. > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
