REMOTE DESKTOP CONNECTION LOGS

37 views
Skip to first unread message

Sardar Sadaqat

unread,
Oct 31, 2019, 7:05:57 AM10/31/19
to ossec-list
hi all 
Am using Ossim community version i try all possible combination also defined rules in ossec.conf and also i defined rules on server side hids here i shared my configuration kindly have a look
here that's my agent configuration file
<localfile>
    <location>RDP</location>
    <log_format>eventchannel</log_format>
    <query>
      \<QueryList>
        \<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">
          \<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*\</Select>
        \</Query>
      \</QueryList>
    </query>
  </localfile>




that's on server side


<rule id="100888" level="11">

  <if_sid>18101</if_sid>
  <id>^21$</id>
  <description>Remote Desktop Session Logon</description>
  <group>sysadmin,</group>
</rule>

<rule id="100889" level="11">
  <if_sid>18101</if_sid>
  <id>^23$</id>
  <description>Remote Desktop Session Logoff</description>
  <group>sysadmin,</group>
</rule>

<rule id="100890" level="11">
  <if_sid>18101</if_sid>
  <id>^24$</id>
  <description>Remote Desktop Session Disconnected</description>
  <group>sysadmin,</group>
</rule>

<rule id="100891" level="11">
  <if_sid>18101</if_sid>
  <id>^25$</id>
  <description>Remote Desktop Session Reconnected</description>
  <group>sysadmin,</group>
</rule>.


kindly guide me i want to get remote desktop session logs .
Reply all
Reply to author
Forward
0 new messages