I would like configure wazuh receive a alert if someone makes a RDP or Remote Desktop Connection ti the windows agent.
4,117 views
Skip to first unread message
Yolanda Prieto
Jan 10, 2018, 8:09:14 PM1/10/18
to Wazuh mailing list
Hi All
I need your help
Because active-reponse to block the offender Ip address not works for me in windows , I was thinking in found a solution to a very common scenario,I would like configure wazuh receive a alert if someone makes a RDP or Remote Desktop Connection ti the windows agent. ( and I would like to cover too Team viewer ).
In the windows agents I add the following configuration:
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=1149 or EventID=261 or EventID=258]</query>
</localfile>
{ ****Note: Then I tried with this configuration, but doesnt not work neither.
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>
</localfile>}
}
In /var/ossec/etc/rules/local_rules.xml
I added the following custom rules:
<rule id="100888" level="11">
<if_sid>18104</if_sid>
<id>^682|^4778|^1149</id>
<description>Remote Desktop Connection Established</description>
<group>sysadmin,</group>
</rule>
<rule id="100999" level="11">
<if_sid>18104</if_sid>
<id>^683|^4779</id>
<description>Remote Desktop Connection Disconnected</description>
<group>sysadmin,</group>
</rule>
And even when in Even Viewer I can see the event ( please see the attachment RDP event.png) , I can not find the event in alerts,log.
What I am missing? Please advise.
Thanks in advance for any help you could give me.
Regards
Yolanda Prieto
I need your help
Because active-reponse to block the offender Ip address not works for me in windows , I was thinking in found a solution to a very common scenario,I would like configure wazuh receive a alert if someone makes a RDP or Remote Desktop Connection ti the windows agent. ( and I would like to cover too Team viewer ).
In the windows agents I add the following configuration:
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID=1149 or EventID=261 or EventID=258]</query>
</localfile>
{ ****Note: Then I tried with this configuration, but doesnt not work neither.
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>
</localfile>}
}
In /var/ossec/etc/rules/local_rules.xml
I added the following custom rules:
<rule id="100888" level="11">
<if_sid>18104</if_sid>
<id>^682|^4778|^1149</id>
<description>Remote Desktop Connection Established</description>
<group>sysadmin,</group>
</rule>
<rule id="100999" level="11">
<if_sid>18104</if_sid>
<id>^683|^4779</id>
<description>Remote Desktop Connection Disconnected</description>
<group>sysadmin,</group>
</rule>
And even when in Even Viewer I can see the event ( please see the attachment RDP event.png) , I can not find the event in alerts,log.
What I am missing? Please advise.
Thanks in advance for any help you could give me.
Regards
Yolanda Prieto
Yolanda Prieto
Jan 16, 2018, 6:33:39 PM1/16/18
to Wazuh mailing list
Hi Team
Somebody had a chance to look into this situation or requirement?
Any idea or advise will be very useful.
Regards
Yolanda
Miguelangel Freitas
Jan 16, 2018, 10:34:18 PM1/16/18
to Yolanda Prieto, Wazuh mailing list
Hi Yolanda,
Sorry for the late reply,
You can also use a custom XPATH query to collect the event paths matching with your case (RDP connections/session events), for example:
<localfile> <location>RDP</location> <log_format>eventchannel</log_format> <query> \<QueryList> \<Query Id="0" Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"> \<Select Path="Microsoft-Windows-TerminalServices-LocalSessionManager/Operational">*\</Select> \</Query> \</QueryList> </query> </localfile>
Also, let me suggest some changes over the rules:
<rule id="100888" level="11">
<if_sid>18101</if_sid> <id>^21$</id> <description>Remote Desktop Session Logon</description> <group>sysadmin,</group> </rule> <rule id="100889" level="11"> <if_sid>18101</if_sid> <id>^23$</id> <description>Remote Desktop Session Logoff</description> <group>sysadmin,</group> </rule> <rule id="100890" level="11"> <if_sid>18101</if_sid> <id>^24$</id> <description>Remote Desktop Session Disconnected</description> <group>sysadmin,</group> </rule> <rule id="100891" level="11"> <if_sid>18101</if_sid> <id>^25$</id> <description>Remote Desktop Session Reconnected</description> <group>sysadmin,</group> </rule>
With the above you should be able to see alerts in case of success logins and logouts, disconnection and reconnection events via RDP:
I hope it helps.
Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
yol...@saitechnology.com
Jan 17, 2018, 1:15:30 PM1/17/18
to Miguelangel Freitas, Yolanda Prieto, Wazuh mailing list
Hola Miguel Angel,
Thanks very much for your explicit answer.
I have to congratulate wazuh team for the excellent quality of your work
and the high quality support you provide.
I will configure and test the rules for RPD today.
I need to ask you two aspects:
I do not know why the active-reponse does not work for me in Windows 10
pro neither in Windows 7.
1) The active response is launched, but I can not make the commands I
refer to in the post to block the IP offender. I am referring here
because several weeks ago I posted a question but nobody has had the
chance to respond.
2) The other thing is the File monitoring in "real time". Also post a
question with all the details but nobody has had the chance to answer
me.
"Real-tim"e File Monitoring does not happen in real time for me. In the
post I have the details. Even though the frequency of the check is 4
hours for the agent andfor the manager, (so as not to interfere with
the real time), I can not see the changes or additions in real time in
the monitored folder.
I am using e wazuh 3.0.1 and elasticstack 6.0.1
Now I will reply on my post to see if anyone has the opportunity to
review these.
Any advice regarding these two topics?
Thank you very much!
Yolanda Prieto
On 2018-01-16 20:33, Miguelangel Freitas wrote:
> Hi Yolanda,
>
> Sorry for the late reply,
>
> You can also use a custom XPATH query [4] to collect the event paths
> www.wazuh.com [5]
>> send an email to wazuh+un...@googlegroups.com.
>>
>> For more options, visit https://groups.google.com/d/optout [3].
> [6].
> Links:
> ------
> [1] https://groups.google.com/group/wazuh
> [2]
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com?utm_medium=email&utm_source=footer
> [3] https://groups.google.com/d/optout
> [4]
> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
> [5] http://www.wazuh.com/
> [6]
> https://groups.google.com/d/msgid/wazuh/CAEAiL9YgwdgDTfYTTovMbyApT%3Dk86am8j_B4zEZdkcRE5ADkxQ%40mail.gmail.com?utm_medium=email&utm_source=footer
Thanks very much for your explicit answer.
I have to congratulate wazuh team for the excellent quality of your work
and the high quality support you provide.
I will configure and test the rules for RPD today.
I need to ask you two aspects:
I do not know why the active-reponse does not work for me in Windows 10
pro neither in Windows 7.
1) The active response is launched, but I can not make the commands I
refer to in the post to block the IP offender. I am referring here
because several weeks ago I posted a question but nobody has had the
chance to respond.
2) The other thing is the File monitoring in "real time". Also post a
question with all the details but nobody has had the chance to answer
me.
"Real-tim"e File Monitoring does not happen in real time for me. In the
post I have the details. Even though the frequency of the check is 4
hours for the agent andfor the manager, (so as not to interfere with
the real time), I can not see the changes or additions in real time in
the monitored folder.
I am using e wazuh 3.0.1 and elasticstack 6.0.1
Now I will reply on my post to see if anyone has the opportunity to
review these.
Any advice regarding these two topics?
Thank you very much!
Yolanda Prieto
On 2018-01-16 20:33, Miguelangel Freitas wrote:
> Hi Yolanda,
>
> Sorry for the late reply,
>
> I hope it helps.
>
> Regards,
>
> Miguelangel Freitas
>
> [5]
>
> Regards,
>
> Miguelangel Freitas
>
> www.wazuh.com [5]
>> To post to this group, send email to wa...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/wazuh [1].
>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com
>> [2].
>>
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com
>>
>> For more options, visit https://groups.google.com/d/optout [3].
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com.
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/wazuh/CAEAiL9YgwdgDTfYTTovMbyApT%3Dk86am8j_B4zEZdkcRE5ADkxQ%40mail.gmail.com
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit
> [6].
> Links:
> ------
> [1] https://groups.google.com/group/wazuh
> [2]
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com?utm_medium=email&utm_source=footer
> [3] https://groups.google.com/d/optout
> [4]
> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/localfile.html#query
> [5] http://www.wazuh.com/
> [6]
> https://groups.google.com/d/msgid/wazuh/CAEAiL9YgwdgDTfYTTovMbyApT%3Dk86am8j_B4zEZdkcRE5ADkxQ%40mail.gmail.com?utm_medium=email&utm_source=footer
migue...@wazuh.com
Jan 30, 2018, 12:12:52 PM1/30/18
to Wazuh mailing list
Hi Yolanda,
I replied to the original threads:
syscheck not being in real time even when is configured realtime="yes": https://groups.google.com/d/msg/wazuh/4HenaOSXU20/g57X73lMBgAJ
active-reponse windows issue:I believe the issue is that "How to add a Null route in windows" itself doesnt works: https://groups.google.com/d/msg/wazuh/AI4qkYhPke8/QLZQj-dQBgAJ
Let us know if you have any further questions, thanks!
Best regards,
>> send an email to wazuh+unsubscribe@googlegroups.com.
>> To post to this group, send email to wa...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/wazuh [1].
>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com
>> [2].
>>
>> For more options, visit https://groups.google.com/d/optout [3].
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+unsubscribe@googlegroups.com.
Fabio Miotti
Feb 9, 2021, 5:14:12 AM2/9/21
to Wazuh mailing list
Hi Miguelangel i have tryed to use your configuration for rdp but wazuh manager doesn't receive nothing.
the server is windows 2016
my scope is same of Yolanda
Thanks
>> send an email to wazuh+un...@googlegroups.com.
>> To post to this group, send email to wa...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/wazuh [1].
>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/wazuh/c08fae9c-a7d4-485d-8fac-866bcc31937b%40googlegroups.com
>> [2].
>>
>> For more options, visit https://groups.google.com/d/optout [3].
>
> --
> You received this message because you are subscribed to the Google
> Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to wazuh+un...@googlegroups.com.
Bianca Asan
Apr 20, 2021, 1:52:56 AM4/20/21
to Wazuh mailing list
Hi, I have the same problem, my wazuh manger does not receive the logs. Can you help me?
Jose Antonio Izquierdo
Apr 21, 2021, 2:07:08 PM4/21/21
to Wazuh mailing list
Hi,
Please try this configuration, it works for me,
Be sure your agent has the right localfile eventchannel configuration in your agent ossec.conf
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
In manager add this rule to your local_rules.xml
<rule id="100100" level="5">
<if_sid>60009</if_sid>
<field name="win.system.channel">^Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational$</field>
<options>no_full_log</options>
<description>Terminal Services Remote Connection Manager</description>
</rule>
restart both wazuh-agent and manager.
Let me know if this works for you.
thanks
Message has been deleted
Alberto Rodriguez
Nov 12, 2021, 3:43:18 AM11/12/21
to Black Fish, Wazuh mailing list
Hello
Sorry for not getting back to you sooner. Did you activate temporarily the archives.log? Please, activate it in the ossec.conf configuration file and see if you are receiving the logs corresponding to the Windows RDP event. If so, maybe it's a problem regarding the decoder. If not, your Windows host is not sending this event.
Hope it helps.
Regards,
Alberto R
On Tue, May 18, 2021 at 10:02 AM Black Fish <imranqut...@gmail.com> wrote:
nothing worked for me.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c0191985-a31b-42ae-bdd8-b09b979f0d56n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages