Jesus, sure let me pull one up of a connect and disconnect for RDP:
CONNECTION TO SERVER VIA RDP FROM REMOTE WORKSTATION: (SANITIZED OF COURSE)
__
OSSEC HIDS Notification.
2016 Aug 12 07:48:23
Received From: (servername) IP.IP.IP.IP->WinEvtLog
So here is what I have in my local_rules.xml for Ossec for my RDP:
18104
^682|^4778|^1149
**Remote Desktop Connection Established**
sysadmin,
18104
^683|^4779
**Remote Desktop Connection Disconnected**
sysadmin,
Then on my servers in the ossec.conf fil
Would be happy to share my local_rules.xml and the msauth.xml "tweeked"
version I use. Let me know
On Monday, February 23, 2015 at 3:28:39 PM UTC-5, Stephen Carr wrote:
>
> Hey there all, I’m wading into the realm of Domain Controller security
> logs and what is possible for filtering events to
What we do is move the DHCP files out to a different directory like C:\DHCP
and it works fine on 2008 and 2012.
On Tuesday, October 23, 2012 3:34:47 PM UTC-4, Brian Sims wrote:
>
> I see there is an MS DHCP parser, but I'm not having much success in
> getting it to work in a stable fashion.
Carlos, I used to see these all the time, I found what IPs there were
coming in from and blocked at the FW level. Its usually some attack just
cycling through easy picking names, sometimes you would see them hit in
alphabetical order too. Dictionary attack of sorts. Hope this helps
On Monday, S
In my local_rules.xml I have these entries, not sure if they will help:
18104
^682|^4778|^1149
Remote Desktop Connection Established
sysadmin,
18104
^683|^4779
Remote Desktop Connection Disconnected
sysadmin,
On Monday, October 7, 2013 6:24:38 PM UTC-
I ran into this problem a couple years ago. What did was move the dhcp logs and
config to something like c:\dhcp the in the ossec config call out as you did
each log file. There is something about being buried in system32 that ossec can
work with well, on win2008.
upp...@ecsc.co.uk> wrote:
> I beg your pardon, I meant:
>
> error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING
>
>
>
> On Sunday, September 16, 2012 2:59:41 PM UTC+1, Derek Morris wrote:
>>
>> Oh thanks for responding. I am getting:
>>
>> Not
hs you remember that could do with changing I will
> happily have a look..
>
> On Friday, September 14, 2012 11:40:15 AM UTC+1, Xme wrote:
>>
>> I used it since the first release. The first installation was quite
>> "funny" and I had to fix lot of paths in
First off this is a nice tool to see being worked on. My question to the
group is has anyone got this working properly. I have tons of Undefined
Variables and no graphs. Any guidance is appreciated.
Mine is Exchange 2007, and it did work prior to the last upgrade.
On Mon, Jan 24, 2011 at 10:21 AM, dan (ddp) wrote:
> Hi Ash,
>
> On Fri, Jan 21, 2011 at 1:40 PM, ash kumar wrote:
> > 1. Daily Reports: I still get blank daily reports. What may be the
> problems?
>
> What email server and clien
I do too. Even different categories.
- Derek
On Jan 21, 2011 2:52 PM, "ash kumar" wrote:
> 1. Daily Reports: I still get blank daily reports. What may be the
problems?
> 2. Ad hoc Reports: is there are way I can take results of ossec-reportd
and
> mail in a presentable format, just summary inform
I would have to say the Upgrade process. I have to do a diff on numerous
rules files that i have edited and takes quite a bit of pain staking work to
complete.
On Wed, Oct 20, 2010 at 2:07 PM, Tim Eberhard wrote:
> To me the biggest thing that sticks the professional products apart from
> OSS
I started using Ossec around version 1.4 several years ago. At that time my
present employer had nothing for HID or event monitoring. Being a
non-profit, money was tight, so I started out by building a
Nagios/Ossec/MRTG Network Monitoring Server. The fact that Ossec was open
source and free allowed
Mine does..what sort of information are you looking for?
-Derek Morris
On Wed, Sep 22, 2010 at 3:54 PM, Christopher Moraes
wrote:
> Hi everyone,
>
> I'm preparing a recommendation to use OSSEC in my organization. Does
> anyone know where I can find references of other organi
15 matches
Mail list logo