On Thu, Aug 28, 2014 at 11:46 AM, Brian Kellogg <[email protected]> wrote: > I knew I may be misunderstanding something. I though ossec-logtest showed > the last decoder used on the event. I had <order> in there to fill in data > and that was not being shown by ossec-logtest. I'll try again and see if I > just screwed up my regex somehow. Shouldn't I see an alert 12 with the > generated by the rule though with the description of "RDP Windows Logon"? >
There's nothing in the rule you posted that matches anything. There is no reason it should ever match the way it is currently written. Remove the decoder entry, add an if_sid for 18107, and an <id> of 4624. Then your rule should match the one sample you provided. And I think the windows_rdp decoder won't work without an <order>, but I didn't look into the error too much. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
