Capturing RDP/RDS Windows Event Logs

212 views
Skip to first unread message

Zero Two

unread,
Nov 14, 2024, 9:31:47 AM11/14/24
to Wazuh | Mailing List

Greetings:

I need to capture the following Windows Event Logs. I used the the centralized management approach and modified the Group's agent.conf to:
<agent_config>

<!-- Shared agent configuration here -->

<localfile>

<location>Microsoft-Windows-Windows Defender/Operational</location>

<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>

<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</location>

<location>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</location>

<location>Microsoft-Windows-TerminalServices-LocalSessionManager/Admin</location>

<location>Microsoft-Windows-TerminalServices-Licensing/Operational</location>

<location>Microsoft-Windows-TerminalServices-Licensing/Admin</location>

<location>Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin</location>

<location>Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational</location>

<location>Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

</agent_config>

That should be adequate, correct? Or do I need to also create custom rules to make sure Wazuh captures the logs?

Upvote1Downvote0Go to comments

Manuel Jose Cano Rojo

unread,
Nov 14, 2024, 9:55:53 AM11/14/24
to Wazuh | Mailing List
Hello, Zero Two!

You must create a unique localfile block for each event channel you want to read. For example, if you want to enable the 2 first you shared you should add a config block for each one separately, as follows:

<localfile>

      <location>Microsoft-Windows-Windows Defender/Operational</location>

      <log_format>eventchannel</log_format>

</localfile>

<localfile>

     <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>

      <log_format>eventchannel</log_format>

</localfile>

Here you can find the eventchannels supported by Wazuh. The default ruleset should cover the retrieved logs for the indicated eventchannels, but you could also add your own ones if needed.

Hope it helps!

Regards,

Manuel.

Zero Two

unread,
Nov 14, 2024, 9:58:01 AM11/14/24
to Wazuh | Mailing List
Awesome, thank you!  This is what I was looking for :)

Zero Two

unread,
Nov 15, 2024, 8:29:57 AM11/15/24
to Wazuh | Mailing List
Manuel:

I wanted to verify that this can be done via the centralized agent.conf?  Here is my new agent.conf for the group "DataServices":

  <agent_config>
    <!-- Shared agent configuration here -->
    <localfile>
      <location>Microsoft-Windows-Windows Defender/Operational</location>
      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-LocalSessionManager/Operational</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-LocalSessionManager/Admin</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-Licensing/Operational</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-Licensing/Admin</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational</location>

      <log_format>eventchannel</log_format>
    </localfile>
    <localfile>
      <location>Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational</location>
      <log_format>eventchannel</log_format>
    </localfile>
  </agent_config>

Because, sadly, I am still not getting these logs from the agents within the group :/
On Thursday, November 14, 2024 at 9:55:53 AM UTC-5 Manuel Jose Cano Rojo wrote:

Manuel Jose Cano Rojo

unread,
Nov 20, 2024, 3:49:57 AM11/20/24
to Wazuh | Mailing List
Hi  Zero Two!

Sorry for my late response.

If you have a look to the agent.conf documentation, you can see the localfile configuration block can be configured using this file, you problem could be related to not enabling the wazuh_command.remote_commands=1 in the /var/ossec/etc/local_internal_options.conf file in the affected agents.

Please ensure you set it and restart the agents before setting the centraliced configuration via agent.conf file.

Hope it helps!

Manuel.

Zero Two

unread,
Nov 26, 2024, 11:10:28 AM11/26/24
to Wazuh | Mailing List
Apologies for my own late response (and thank you for the time you have put into this).  

I have verified the above (it had not been enabled) but am still not receiving alerts.  Perhaps its a problem with my rules, now?

<!--
  -  Rules config for Microsoft-Windows-TerminalServices
  -  Author: Zero Two
  -  Updated by:
  -  Copyright (C) 2024, Zero Two
-->

<group name="Windows-TerminalServices,">
  <rule id="900000" level="0">
    <category>windows</category>
    <description>Generic template for Windows-TerminalServices rules.</description>
  </rule>
 
  <rule id="900001" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^21$</field>
    <description>Remote Desktop Services: Session Logon Succeeded</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900002" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^22$</field>
    <description>Remote Desktop Services: Shell start notification received</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900003" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^23$</field>
    <description>Remote Desktop Services: Session Logoff Succeeded</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900004" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^24$</field>
    <description>Remote Desktop Services: Session has been disconnected</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900005" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^25$</field>
    <description>Remote Desktop Services: Session Reconnection Succeeded</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900006" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^39$</field>
    <description>Session X has been disconnected by session Y</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900007" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^40$</field>
    <description>Session X has been disconnected reason code Z</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900008" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^226$</field>
    <description>RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting
in response to TsSslEventHandshakeContinueFailed (error code 0x80004005)</description>
    <options>no_full_log</options>
  </rule>  
 
  <rule id="900009" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^261$</field>
    <description>Listener RDP-Tcp received a connection</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900010" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1024$</field>
    <description>The Client has initiated a multi-transport connection to the server ()</description>
    <options>no_full_log</options>
  </rule>

  <rule id="900011" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1025$</field>
    <description>RDP ClientActiveX has connected to the server.</description>
    <options>no_full_log</options>
  </rule>    
 
  <rule id="900012" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1026$</field>
    <description>RDP ClientActiveX has been disconnected (Reason= )</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900013" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1027$</field>
    <description>Connected to domain (SERVER-XX) with session X</description>
    <options>no_full_log</options>
  </rule>    
 
  <rule id="900014" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1028$</field>
    <description>The server supports SSL = supported</description>
    <options>no_full_log</options>
  </rule>    
 
  <rule id="900015" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1029$</field>
    <description>Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name]</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900016" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1102$</field>
    <description>The Client has initiated a multi-transport connection to the server </description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900017" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1103$</field>
    <description>The client has established a multi-transport connection to the server</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900018" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1105$</field>
    <description>The multi-transport connection has been disconnected</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900019" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1149$</field>
    <description>User Authentication Succeeded</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900020" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1158$</field>
    <description>Remote Desktop Services accepted a connection from IP address </description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900021" level="6">
    <if_sid>900000</if_sid>
    <field name="win.system.eventID">^1403$</field>
    <description>The client is using software memory for the frame buffer</description>
    <options>no_full_log</options>
  </rule>
 
  <rule id="900098" level="12">
    <if_sid>900001, 900002, 900003, 900004, 900005, 900006, 900007, 900008, 900009, 900010, 900011, 900012, 900013, 900014, 900015, 900016, 900017, 900018, 900019, 900020, 900021</if_sid>
    <field name="win.system.severityValue">^ERROR$</field>
    <description>placeholder</description>  
  </rule>

  <rule id="900099" level="15">
    <if_sid>900001, 900002, 900003, 900004, 900005, 900006, 900007, 900008, 900009, 900010, 900011, 900012, 900013, 900014, 900015, 900016, 900017, 900018, 900019, 900020, 900021</if_sid>
    <field name="win.system.severityValue">^CRITICAL$</field>
    <description>placeholder</description>
  </rule>
</group>

Manuel Jose Cano Rojo

unread,
Nov 29, 2024, 10:47:55 AM11/29/24
to Wazuh | Mailing List
Hi  Zero Two!

I'm sorry for not getting back to you sooner.

You can try to debug this scenario. As you can see in the official documentation the archives files, store the logs the manager receives from the agents. You can get a received log from the agent and check if the logs are arriving at the manager from the Windows agents. Once you get a JSON log you can test it and the rules you have created with the logtest tool on the manager side.

Before testing it, make sure you modify the rule you expected to be fired, adding the <decoded_as>json</decoded_as> config block.

Remember to restart the manager once you have done the mentioned modifications. Once it has been done, you can use the wazuh-logtest tool to check if the selected JSON log fires the rule.

Hope it helps!

Regards,

Manuel.

Zero Two

unread,
Dec 11, 2024, 11:14:01 AM12/11/24
to Manuel Jose Cano Rojo, Wazuh | Mailing List
Manuel:

My turn to apologize for a late response. 

I did as you suggested and found that Rule 900000 catches a certain log with eventID 25.  However, rule 900005 should then be invoked assigning a level "6".  Unfortunately, once rule 900000 is invoked, it stops processing so I believe there is an issue with how my rules are configured.  Mind taking another look?  I believe I am failing at the "logic" portion of the rule.  Thank you!


<!--
  -  Rules config for Microsoft-Windows-TerminalServices
  -  Author: Matthew Smith.
  -  Updated by:
  -  Copyright (C) 2024, Matthew Smith

-->

<group name="Windows-TerminalServices,">
  <rule id="900000" level="0">
    <category>windows</category>
<!--    <decoded_as>json</decoded_as> -->
    <field name="win.system.eventID">25</field>
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/7RLDlBFoznY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/06aeff50-c858-4f24-8c45-3b351e4b8a24n%40googlegroups.com.

Manuel Jose Cano Rojo

unread,
Dec 13, 2024, 10:14:50 AM12/13/24
to Wazuh | Mailing List
Hi  Zero Two!

The rule 900005 you are using is missing some regex characters. By default regex's syntax used is (OS_Regex) have a look at our related documentation to see the supported expressions. 

Hope it helps!

Regards,

Manuel.

Zero Two

unread,
Dec 23, 2024, 2:20:03 PM12/23/24
to Wazuh | Mailing List
I was afraid you would say that.  That was a typo on my part meaning the "^" and the "$" were present in the ruleset, just not when I pasted it into this conversation.  It appears that Rule 90000 matches but then Wazuh does not attempt to match against the "child" rules.
Reply all
Reply to author
Forward
0 new messages