Thanks Derek, will give that a go! On Thursday, August 11, 2016 at 8:56:24 AM UTC-5, Derek Morris wrote: > > So here is what I have in my local_rules.xml for Ossec for my RDP: > > <rule id="100888" level="11"> > <if_sid>18104</if_sid> > <id>^682|^4778|^1149</id> > <description>**Remote Desktop Connection Established**</description> > <group>sysadmin,</group> > </rule> > > <rule id="100999" level="11"> > <if_sid>18104</if_sid> > <id>^683|^4779</id> > <description>**Remote Desktop Connection Disconnected**</description> > <group>sysadmin,</group> > </rule> > > > Then on my servers in the ossec.conf file I add this: > > <localfile> > <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager > Operational</location> > <log_format>eventlog</log_format> > </localfile> > > Also there are some Windows OS level advanced auditing you need to enable. > Tons of info in Uncle Google for that. Hope this helps > > > > > > On Thursday, August 11, 2016 at 2:09:24 AM UTC-4, [email protected] > wrote: >> >> I have a customer that is looking to monitor RDP across the following >> windows 2008r2 log structure: >> >> Applications and Services Logs->Microsoft->Windows->Term >> inalServices-LocalSessionManager->Operational >> >> Not quite sure how to set up the localfile, but guessing: >> >> >> <ossec_config> >> <localfile> >> >> <location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location> >> <log_format>eventlog</log_format> >> </localfile> >> </ossec_config> >> >> The filesystem has a %4 where the last "/" is in my location...perhaps >> this is an issue? LocalSessionManager%4Operational is how it is displayed >> in Windows Explorer. >> >> I have logall enabled and I am seeing tons of inbound logs into the >> archives.log file, but not seeing any of the RDP chatter that I am >> expecting. Events 21 through 25 for example. >> >> Thanks for having a look, >> RS >> >>
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
