Cheshire Cat Computing • View topic

Board index » Software Support » Nagios: Windows EventLog agent

All times are UTC + 12 hours [ DST ]

Filter RDP access

Page 1 of 1

[ 4 posts ]

Print view

Previous topic | Next topic

Author

Message

zygolux

Post subject: Filter RDP access

Posted: Wed Apr 29, 2009 3:22 am

User

Joined: Wed Apr 29, 2009 2:59 am
Posts: 2
Location: Luxembourg

Hi all,

I would like to filter RDP accesses on some servers. It worked pretty well until I found that RDP and Citrix accesses are almost recorded the same way in the event log :oops:

- except the IP

So, I read dozen of pages on regexp, but I am still not able to achieve what I want ...

I would like to filter Audit Sucess with event ID 528 - no problem there.
Plus I added the following regexp in the field "Match string (regexp)": .*Logon.*Type.*10.*(?!(127.0.0.1)).*
My understanding (which is for sure wrong as it does not work) is: keep strings where there is something, then the word "Logon", then something, then "Type", then something, then "10" then something which does not contains 127.0.0.1.
I tried as well :.*Logon.*Type.*10.*(?!(.*127.0.0.1.*)).* - Same result

Actually I would to filter all messages containing "Logon Type:10" but not "127.0.0.1".
What I got so far is all messages containing "Logon Type:10". The negative string seems to be ignored.

Any help will be appreciated

Julien.

Top

stevesh

Post subject: Re: Filter RDP access

Posted: Wed Apr 29, 2009 11:15 am

Site Admin

Joined: Tue Jul 29, 2003 11:42 am
Posts: 3039
Location: Auckland, New Zealand

Nope, thats not a valid regexp. '.*' matches anything, but '?!' is not valid (I think it may be an extended regexp but not 'standard' regexp)

Here's one way to do it, using 2 filters

Make the first filter match

eventid: 528
regexp: Logon.*Type.*10.*127\.0\.0\.1

and have an action of 'None' (IE dont send any alert). The next filter matches

eventid: 528
regexp: Logon.*Type.*10

and sends the alert. Therefore, if it is a 127.0.0.1 message, the first filter matches, and nothing is done. Otherwise, it will fall through to the second filter and match that.

Remember only the FIRST matching filter is actioned, and v1.9.1 allows the 'none' target, so it should work...

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Top

zygolux

Post subject: Re: Filter RDP access

Posted: Wed Apr 29, 2009 9:50 pm

User

Joined: Wed Apr 29, 2009 2:59 am
Posts: 2
Location: Luxembourg

Thanks a lot for the help.
I installed 1.9.2 version as I previously ran 1.8.3 and created the filters like you suggested.
Now, I understand better the way filters work and how they are processed

When you say action "none", I assume it means "Service Status= (4) ignore", right ?

Top

stevesh

Post subject: Re: Filter RDP access

Posted: Thu Apr 30, 2009 10:48 am

Site Admin

Joined: Tue Jul 29, 2003 11:42 am
Posts: 3039
Location: Auckland, New Zealand

_________________
Steve Shipway
UNIX Systems, ITSS, University of Auckland, NZ
Woe unto them that rise up early in the morning... -- Isaiah 5:11

Top

Page 1 of 1

[ 4 posts ]

Board index » Software Support » Nagios: Windows EventLog agent

All times are UTC + 12 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to: