hi all
Am using Ossim community version i try all possible combination also
defined rules in ossec.conf and also i defined rules on server side hids
here i shared my configuration kindly have a look
here that's my agent configuration file
<localfile>
<location>RDP</location>
<log_format>eventchannel</log_format>
<query>
\<QueryList>
\<Query Id="0"
Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
\<Select
Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*\</Select>
\</Query>
\</QueryList>
</query>
</localfile>
that's on server side
<rule id="100888" level="11">
<if_sid>18101</if_sid>
<id>^21$</id>
<description>Remote Desktop Session Logon</description>
<group>sysadmin,</group>
</rule>
<rule id="100889" level="11">
<if_sid>18101</if_sid>
<id>^23$</id>
<description>Remote Desktop Session Logoff</description>
<group>sysadmin,</group>
</rule>
<rule id="100890" level="11">
<if_sid>18101</if_sid>
<id>^24$</id>
<description>Remote Desktop Session Disconnected</description>
<group>sysadmin,</group>
</rule>
<rule id="100891" level="11">
<if_sid>18101</if_sid>
<id>^25$</id>
<description>Remote Desktop Session Reconnected</description>
<group>sysadmin,</group>
</rule>.
kindly guide me i want to get remote desktop session logs .
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/6002937a-2586-463d-858d-3cef4e8895f9%40googlegroups.com.
