I am currently looking at deploying Snare on Windows 2008 servers.
Those servers do have some additional terminal server logs. (which e.g. record EventID: 1149, which indicated RDP connections without login)
Unfortunately those things are logged in a dedicated terminal server log of Windows.
Snare does currently not offer to select this log for forwarding.
How can one can e.g. EventID: 1149?
What Snare configuration is required?
Thanks in advance for your support!
Mike
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
HI these logs are in a custom windows event log. The feature to monitor custom windows event logs is in the enterprise agent and not the open-source agent. If you are interested you can send a request to intersect@intersectalliance.com.
Regards,
Steve
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello everybody,
I am currently looking at deploying Snare on Windows 2008 servers.
Those servers do have some additional terminal server logs. (which e.g. record EventID: 1149, which indicated RDP connections without login)
Unfortunately those things are logged in a dedicated terminal server log of Windows.
Snare does currently not offer to select this log for forwarding.
How can one can e.g. EventID: 1149?
What Snare configuration is required?
Thanks in advance for your support!
Mike
HI these logs are in a custom windows event log. The feature to monitor custom windows event logs is in the enterprise agent and not the open-source agent. If you are interested you can send a request to intersect@intersectalliance.com.
Regards,
Steve
Thanks for the quick response Steve. (although I had hoped that the community version can also do the same)