0

on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents.

These events are shown in the clients event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational for example with eventID 1149

I have in my windows agents conf file

  <localfile>
    <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>

on the server in my local_rules.xml I have

<group name="rdesktop">
<rule id="100888" level="1">
<match>Remote Desktop Services</match>
<description>Remote Desktop Connection Established</description>
</rule>
</group>

I get no messages from the remote client (that sends alerts if I use Security )

I see some traffic from client to server with tcpdump if I generate 1149 logon events But no evidence even with <logall>yes</logall> in ossec server.

Anyone can share some insight?

Many thanks g.

golemwashere
  • 724
  • 1
  • 10
  • 21

1 Answers1

0

Maybe I am misunderstanding. Need to add an option section in your local rules?

<options>alert_by_email</options>

Null
  • 1
  • I don't need alerts to be sent by email, my problem is it looks like alerts for rdp logins with this method are never raised. If I understood correctly if I set logall I shoud see the alert in ossec alerts.log. But I see no entry. I only see some packets with tcpdump from the client when I generate a 1149 event id from a rdp login. – golemwashere Aug 24 '17 at 08:59
  • Sorry! Needed to have a coffee to wake up. Are other alerts been logged for that client though? Might be worthwhile jumping on IRC irc.freenode.net on channel #ossec and ask there. – Null Aug 24 '17 at 09:46
  • if I change the log to Security eventlog I get alerts logged , the problem is I have some servers that generate too much of those , thanks for the hint on irc channel, I'll try that as soon as I have some time to go there – golemwashere Aug 24 '17 at 10:07