Jesus, sure let me pull one up of a connect and disconnect for RDP: CONNECTION TO SERVER VIA RDP FROM REMOTE WORKSTATION: (SANITIZED OF COURSE) __________________________________________________
OSSEC HIDS Notification. 2016 Aug 12 07:48:23 Received From: (servername) IP.IP.IP.IP->WinEvtLog Rule: 100888 fired (level 11) -> "**Remote Desktop Connection Established**" Portion of the log(s): WinEvtLog: Security: AUDIT_SUCCESS(4778): Microsoft-Windows-Security-Auditing: (no user): no domain: sername.fqdn: A session was reconnected to a Window Station. Subject: Account Name: USERNAMEUSED Account Domain: DOMAIN.DOMAIN Logon ID: 0x1e3373 Session: Session Name: RDP-Tcp#0 Additional Information: Client Name: FROM_WHAT_DESKTOP Client Address: DESKTOP_IP This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. --END OF NOTIFICATION ------------------------------------------ HERE IS THE DISCONNECTION (SANITIZED): OSSEC HIDS Notification. 2016 Aug 12 07:52:45 Received From: (SERVERNAME) IP.IP.IP.IP->WinEvtLog Rule: 100999 fired (level 11) -> "**Remote Desktop Connection Disconnected**" Portion of the log(s): WinEvtLog: Security: AUDIT_SUCCESS(4779): Microsoft-Windows-Security-Auditing: (no user): no domain: SERVERNAME.FQDN: A session was disconnected from a Window Station. Subject: Account Name: USERNAMEUSED Account Domain: DOMAIN.DOMAIN Logon ID: 0x1e3373 Session: Session Name: RDP-Tcp#0 Additional Information: Client Name: FROM_WHAT_DESKTOP Client Address: IP_OF_SAID_DESKTOP This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching. --END OF NOTIFICATION __________________________________________________________ Hope this helps! On Thursday, August 11, 2016 at 2:09:24 AM UTC-4, [email protected] wrote: > > I have a customer that is looking to monitor RDP across the following > windows 2008r2 log structure: > > Applications and Services Logs->Microsoft->Windows->Term > inalServices-LocalSessionManager->Operational > > Not quite sure how to set up the localfile, but guessing: > > > <ossec_config> > <localfile> > > <location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location> > <log_format>eventlog</log_format> > </localfile> > </ossec_config> > > The filesystem has a %4 where the last "/" is in my location...perhaps > this is an issue? LocalSessionManager%4Operational is how it is displayed > in Windows Explorer. > > I have logall enabled and I am seeing tons of inbound logs into the > archives.log file, but not seeing any of the RDP chatter that I am > expecting. Events 21 through 25 for example. > > Thanks for having a look, > RS > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
