So here is what I have in my local_rules.xml for Ossec for my RDP:
<rule id="100888" level="11">
<if_sid>18104</if_sid>
<id>^682|^4778|^1149</id>
<description>**Remote Desktop Connection Established**</description>
<group>sysadmin,</group>
</rule>
<rule id="100999" level="11">
<if_sid>18104</if_sid>
<id>^683|^4779</id>
<description>**Remote Desktop Connection Disconnected**</description>
<group>sysadmin,</group>
</rule>
Then on my servers in the ossec.conf file I add this:
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager
Operational</location>
<log_format>eventlog</log_format>
</localfile>
Also there are some Windows OS level advanced auditing you need to enable.
Tons of info in Uncle Google for that. Hope this helps
On Thursday, August 11, 2016 at 2:09:24 AM UTC-4, [email protected]
wrote:
>
> I have a customer that is looking to monitor RDP across the following
> windows 2008r2 log structure:
>
> Applications and Services Logs->Microsoft->Windows->Term
> inalServices-LocalSessionManager->Operational
>
> Not quite sure how to set up the localfile, but guessing:
>
>
> <ossec_config>
> <localfile>
>
> <location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location>
> <log_format>eventlog</log_format>
> </localfile>
> </ossec_config>
>
> The filesystem has a %4 where the last "/" is in my location...perhaps
> this is an issue? LocalSessionManager%4Operational is how it is displayed
> in Windows Explorer.
>
> I have logall enabled and I am seeing tons of inbound logs into the
> archives.log file, but not seeing any of the RDP chatter that I am
> expecting. Events 21 through 25 for example.
>
> Thanks for having a look,
> RS
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
