I have a customer that is looking to monitor RDP across the following
windows 2008r2 log structure:
Applications and Services Logs->Microsoft->Windows->Term
inalServices-LocalSessionManager->Operational
Not quite sure how to set up the localfile, but guessing:
<ossec_config>
<localfile>
<location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location>
<log_format>eventlog</log_format>
</localfile>
</ossec_config>
The filesystem has a %4 where the last "/" is in my location...perhaps this
is an issue? LocalSessionManager%4Operational is how it is displayed in
Windows Explorer.
I have logall enabled and I am seeing tons of inbound logs into the
archives.log file, but not seeing any of the RDP chatter that I am
expecting. Events 21 through 25 for example.
Thanks for having a look,
RS
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
