Here is the output from the archives log after the <logall>yes</logall> option was set.
2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection received from 192.168.2.3 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: INFORMATION(9010): Desktop Window Manager: (no user): no domain: BEAST.mydomain.local: A request to disable the Desktop Window Manager was made by process (VNC server for X64/win32) 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: INFORMATION(9013): Desktop Window Manager: (no user): no domain: BEAST.mydomain.local: (no message) 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Client 192.168.2.3 disconnected -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 14, 2013 3:01 PM To: [email protected] Subject: Re: [ossec-list] VNC Windows Server Alerts On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> wrote: > Okay I will do just that. I am not sure how to turn that on but I will > research it and let you know or provide the logs once done. > http://www.ossec.net/doc/syntax/head_ossec_config.global.html#element-logall > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, October 14, 2013 2:03 PM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> wrote: >> I am such a fool. Please forgive me for my stupidness. I did provide >> the screenshot of the log files that will need to be parsed which >> were windows application logs. Not really vnc itself but the logs. If >> you don't hear from me again its because I stuck my tongue in a light socket. >> > > And I don't want to waste a bunch of time trying to figure out how > that log event looks to OSSEC. I could spend a lot of time doing that, > or you could provide the log from archives.log (after turning on the > log all option and triggering the log). > Maybe someone else wants to give it a shot though. > >> >> >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Monday, October 14, 2013 11:58 AM >> To: [email protected] >> Subject: RE: [ossec-list] VNC Windows Server Alerts >> >> >> >> >> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: >>> >>> The log from the windows macines (VNC login) is attached. My point >>> is, there >> >> Sorry about that, I must have missed it. All I saw was an absolutely >> useless screen shot of event viewer. I'll take another look after lunch. >> >>> is currently no rule for VNC, the any logs are probably going to >>> point to nothing at this point. I need assistance creating a rule right? >>> >>> If I am to turn on all logs feature for the OSSEC server I will >>> research that as I have never heard of it. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of dan (ddp) >>> Sent: Monday, October 14, 2013 10:58 AM >>> To: [email protected] >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>> >>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >>> <[email protected]> >>> wrote: >>> > VNC is installed on my windows machine. I have ossec server >>> > installed on a Linux machine with agents installed on my >>> > workstations. I need to be alerted when someone remotes to my >>> > windows > machine using VNC. >>> > The alert event ID 1 shows in the application logs. Is there a >>> > rule like >>> VNC.xml for ossec? >>> > >>> > I cannot seem to get this event to trigger. Pease see attached. >>> > >>> > localrules.xml >>> > >>> > <!-- VNC Login --> >>> > <rule id="100036" level="11"> >>> > <id>^1|^2</id> >>> > <match>Connection received from</match> >>> > <group>syslog,</group> >>> > <description>VNC Login</description> >>> > </rule> >>> > </group> <!--SYSLOG,LOCAL --> >>> > >>> >>> Turn on the log all option on the server and trigger the log message. >>> That way we'll have a copy of the log to work with. >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, >>> > send an email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
