Hi, would you mind to share log samples for the rules?
Thanks. On Thursday, August 11, 2016 at 4:10:25 PM UTC+2, [email protected] wrote: > > Thanks Derek, will give that a go! > > On Thursday, August 11, 2016 at 8:56:24 AM UTC-5, Derek Morris wrote: >> >> So here is what I have in my local_rules.xml for Ossec for my RDP: >> >> <rule id="100888" level="11"> >> <if_sid>18104</if_sid> >> <id>^682|^4778|^1149</id> >> <description>**Remote Desktop Connection Established**</description> >> <group>sysadmin,</group> >> </rule> >> >> <rule id="100999" level="11"> >> <if_sid>18104</if_sid> >> <id>^683|^4779</id> >> <description>**Remote Desktop Connection Disconnected**</description> >> <group>sysadmin,</group> >> </rule> >> >> >> Then on my servers in the ossec.conf file I add this: >> >> <localfile> >> <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager >> Operational</location> >> <log_format>eventlog</log_format> >> </localfile> >> >> Also there are some Windows OS level advanced auditing you need to >> enable. Tons of info in Uncle Google for that. Hope this helps >> >> >> >> >> >> On Thursday, August 11, 2016 at 2:09:24 AM UTC-4, [email protected] >> wrote: >>> >>> I have a customer that is looking to monitor RDP across the following >>> windows 2008r2 log structure: >>> >>> Applications and Services Logs->Microsoft->Windows->Term >>> inalServices-LocalSessionManager->Operational >>> >>> Not quite sure how to set up the localfile, but guessing: >>> >>> >>> <ossec_config> >>> <localfile> >>> >>> <location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location> >>> <log_format>eventlog</log_format> >>> </localfile> >>> </ossec_config> >>> >>> The filesystem has a %4 where the last "/" is in my location...perhaps >>> this is an issue? LocalSessionManager%4Operational is how it is displayed >>> in Windows Explorer. >>> >>> I have logall enabled and I am seeing tons of inbound logs into the >>> archives.log file, but not seeing any of the RDP chatter that I am >>> expecting. Events 21 through 25 for example. >>> >>> Thanks for having a look, >>> RS >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
