Hello everyone. I am trying to use OSSEC to monitor the logons and logoffs by employees on our Active Directory server.
The problem is that there is too much noise generated by the AD and I cannot find a way to isolate the events I need monitored to get the correct results. The AD server generates about 5-6 events everytime a user logs on or logs off (logon Event ID 4624, logoff Event ID 4634). The desirable result is to have alerts like : "User 'X' performed a logon" / "User 'X' performed a logoff". OSSEC by default has windows logon and logoff rules (4624, 4634) but they trigger at each event with these IDs and you cannot have a specific result, too much noise is generated. Has anyone implemented successfully the monitoring of user logons/logoffs to the AD server with OSSEC? How can I isolate the noise and get the desirable results? Thanks in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/ac693020-d0a5-4d05-ab24-a94005757741%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
