On Fri, Mar 3, 2017 at 2:04 PM, Aryn Nakaoka <[email protected]> wrote:
> How do I get OSSEC to log the IP of failed RDP Logins?
>
What do you mean "log the IP?" Is the IP address in the log?
Does it not get identified by the decoding process?
>
>
> On Monday, October 7, 2013 at 12:24:38 PM UTC-10, Gary White wrote:
>>
>> I have edited the msauth file so that I get an email alert when I or
>> anyone remote desktops into my windows machine. However I get several
>> PCname$ alerts as well and I think I need to <match> </match> another rule
>> to filter the unwanted logs out? here is what I have done:
>>
>> <!-- Filter This Out -->
>> <rule id="18159" level="1">
>> <category>windows</category>
>> <if_sid>18104</if_sid>
>> <match>Athlon$</match>
>> <description>Remote access login success.</description>
>> </rule>
>>
>>
>> <!-- RDP Access Alert Working Fine -->
>> <rule id="18160" level="8">
>> <if_sid>18104</if_sid>
>> <id>^682|^4778|^4624</id>
>> <description>Remote Desktop Connection Established</description>
>> <group>authentication_success</group>
>> </rule>
>> </group>
>> <!-- EOF -->
>> The 4778 event ID is for when someone has logged back into an already
>> established session, this works fine. What I also want is when someone logs
>> on creating a new RDP session (4624) however that also generates this email:
>>
>>
>>
>> OSSEC HIDS Notification.
>>
>> 2013 Oct 07 11:52:39
>>
>>
>>
>> Received From: (Athlon) 10.1.1.11->WinEvtLog
>>
>> Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"
>>
>> Portion of the log(s):
>>
>>
>>
>> WinEvtLog: Security: AUDIT_SUCCESS(4624):
>> Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN:
>> ATHLON.mydomain.local: An account was successfully logged on. Subject:
>> Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
>> Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$
>> Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID:
>> {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID:
>> 0x0 Process Name: - Network Information: Workstation Name: Source
>> Network Address: ::1 Source Port: 0 Detailed Authentication Information:
>> Logon Process: Kerberos Authentication Package: Kerberos Transited
>> Services: - Package Name (NTLM only): - Key Length: 0 This event is
>> generated when a logon session is created. It is generated on the computer
>> that was accessed.
>>
>>
>>
>> If anyone can point me in the right direction that would be great thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
