on ossec 2.8.3 I am trying to get alerts only for rdp autentications from windows agents.
These events are shown in the clients event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational for example with eventID 1149
I have in my windows agents conf file
<localfile>
<location>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
on the server in my local_rules.xml I have
<group name="rdesktop">
<rule id="100888" level="1">
<match>Remote Desktop Services</match>
<description>Remote Desktop Connection Established</description>
</rule>
</group>
I get no messages from the remote client (that sends alerts if I use Security )
I see some traffic from client to server with tcpdump if I generate 1149 logon events
But no evidence even with
<logall>yes</logall>
in ossec server.
Anyone can share some insight?
Many thanks g.