So here is what I have in my local_rules.xml for Ossec for my RDP: <rule id="100888" level="11"> <if_sid>18104</if_sid> <id>^682|^4778|^1149</id> <description>**Remote Desktop Connection Established**</description> <group>sysadmin,</group> </rule>
<rule id="100999" level="11"> <if_sid>18104</if_sid> <id>^683|^4779</id> <description>**Remote Desktop Connection Disconnected**</description> <group>sysadmin,</group> </rule> Then on my servers in the ossec.conf file I add this: <localfile> <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager Operational</location> <log_format>eventlog</log_format> </localfile> Also there are some Windows OS level advanced auditing you need to enable. Tons of info in Uncle Google for that. Hope this helps On Thursday, August 11, 2016 at 2:09:24 AM UTC-4, robertsc...@gmail.com wrote: > > I have a customer that is looking to monitor RDP across the following > windows 2008r2 log structure: > > Applications and Services Logs->Microsoft->Windows->Term > inalServices-LocalSessionManager->Operational > > Not quite sure how to set up the localfile, but guessing: > > > <ossec_config> > <localfile> > > <location>%WINDIR%/System32/winevt/Logs/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational</location> > <log_format>eventlog</log_format> > </localfile> > </ossec_config> > > The filesystem has a %4 where the last "/" is in my location...perhaps > this is an issue? LocalSessionManager%4Operational is how it is displayed > in Windows Explorer. > > I have logall enabled and I am seeing tons of inbound logs into the > archives.log file, but not seeing any of the RDP chatter that I am > expecting. Events 21 through 25 for example. > > Thanks for having a look, > RS > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.