On Fri, Sep 22, 2017 at 6:22 PM, Kris Springer
<[email protected]> wrote:
> Hi, I've got OSSEC agent v2.9.0 running on some Windows servers and clients
> of various versions and receive the default alerts through a Security Onion
> server. All is well from the defaults, but I'd like to be alerted on
> Successful authentication, not just failed attempts. This would apply to
> SSH, RDP, FTP, HTTP, etc. I have spent a bit of time reading how-to docs
> and forums to try to figure out what I need to do, but so far I've yet to
> get the specifics I'm looking for. I know that Windows logs are generally a
> mess, and I'm pretty sure I need to define what I want in the ossec.conf
> file on each agent, but I don't know exactly what to add to get my desired
> result. I've read many forum posts that are asking this same basic question
> and have yet to see a definite answer or how-to. Can someone please define
> what I need to do to accomplish this?
>
Some of those should create alerts by default already. For example:
<rule id="18126" level="3">
<if_sid>18101</if_sid>
<id>^20158$</id>
<description>Remote access login success.</description>
<group>authentication_success,</group>
</rule>
I think this should create an alert whenever anyone remotes into a
machine. The level might not be high enough for you to see it though.
That's easy to adjust in local_rules.xml with the overwrite option.
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
