On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> wrote: > I am such a fool… Please forgive me for my stupidness. I did provide the > screenshot of the log files that will need to be parsed which were windows > application logs. Not really vnc itself but the logs. If you don’t hear from > me again its because I stuck my tongue in a light socket. >
And I don't want to waste a bunch of time trying to figure out how that log event looks to OSSEC. I could spend a lot of time doing that, or you could provide the log from archives.log (after turning on the log all option and triggering the log). Maybe someone else wants to give it a shot though. > > > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, October 14, 2013 11:58 AM > To: [email protected] > Subject: RE: [ossec-list] VNC Windows Server Alerts > > > > > On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: >> >> The log from the windows macines (VNC login) is attached. My point is, >> there > > Sorry about that, I must have missed it. All I saw was an absolutely useless > screen shot of event viewer. I'll take another look after lunch. > >> is currently no rule for VNC, the any logs are probably going to point to >> nothing at this point. I need assistance creating a rule right? >> >> If I am to turn on all logs feature for the OSSEC server I will research >> that as I have never heard of it. >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, October 14, 2013 10:58 AM >> To: [email protected] >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> On Sun, Oct 13, 2013 at 9:05 AM, Gary White <[email protected]> >> wrote: >> > VNC is installed on my windows machine. I have ossec server installed >> > on a Linux machine with agents installed on my workstations. I need >> > to be alerted when someone remotes to my windows machine using VNC. >> > The alert event ID 1 shows in the application logs. Is there a rule like >> VNC.xml for ossec? >> > >> > I cannot seem to get this event to trigger. Pease see attached. >> > >> > localrules.xml >> > >> > <!-- VNC Login --> >> > <rule id="100036" level="11"> >> > <id>^1|^2</id> >> > <match>Connection received from</match> >> > <group>syslog,</group> >> > <description>VNC Login</description> >> > </rule> >> > </group> <!--SYSLOG,LOCAL --> >> > >> >> Turn on the log all option on the server and trigger the log message. >> That way we'll have a copy of the log to work with. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
