Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Work with Custom Views / VNC Server #103

Closed
P-a-d-r-a-i-g opened this issue Sep 5, 2022 · 1 comment
Closed

Work with Custom Views / VNC Server #103

P-a-d-r-a-i-g opened this issue Sep 5, 2022 · 1 comment
Labels
not reproducable issue cant be reproduced, or question needed for reproduction have not been answered for a while

Comments

@P-a-d-r-a-i-g
Copy link

P-a-d-r-a-i-g commented Sep 5, 2022
edited
Loading

Hi,

I'm looking to implement this for VNC Server for failed logins.

The entry appears in "Application" log, with source "VNC Server", but can be missed sometimes due to timings.

The following is the invalid attempt text:

Connections: disconnected: 123.123.123.123::2258 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)

The following is the invalid attempt XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
  <Provider Name="VNC Server" /> 
  <EventID Qualifiers="0">256</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2022-09-05T15:04:44.5293014Z" /> 
  <EventRecordID>72665</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="0" ThreadID="0" /> 
  <Channel>Application</Channel> 
  <Computer>TestPC2</Computer> 
  <Security /> 
  </System>
<EventData>
  <Data>Connections</Data> 
  <Data>disconnected: 123.123.123.123::2258 (UDP) ([AuthFailure] Either the username was not recognised, or the password was incorrect)</Data> 
  </EventData>
  </Event>

When I create a filter with the following it works fine, but ...

<EventPath>Application</EventPath>
<RegexBoosters>
    <Booster>[AuthFailure]</Booster>
</RegexBoosters>
<Regex>disconnected: (\d*.\d*.\d*.\d*)</Regex>

... but ... the "Application" log can get filled up too quickly and the EvlWatcher service can miss the unauthorised attempts.

I have created a "VNC Server" custom view under the "Custom View" tab of the Event Viewer but can't seem to make it work with the EvlWatcher service. There is no other place but for "Application" where this is logged.

How can I manage this one?
@devnulli devnulli self-assigned this Dec 2, 2022
@devnulli devnulli added the question thats a question label Dec 2, 2022
@devnulli
Copy link
Owner

devnulli commented Dec 2, 2022

Hi,
as I understand the mechanics of the .NET EventlogReader and Microsoft Event log, EvlWatcherService should not miss log entries, because he scans back by a timewindow, regardless of the event count.

Maybe, if you have unusally high upcoming of Application Log Entries, .Net EventlogReader would skip out on that.
Can you (if your question is still relevant, please excuse the slow response time) be more detailed (how many Entries between attempt and check), so i can try to reproduce that situation?

regard,
Mike

@devnulli devnulli added the waiting this issue is blocked and is waiting for a reply or clarification by the issuer (or be closed in 1m) label Dec 2, 2022
@devnulli devnulli removed their assignment Dec 2, 2022
@devnulli devnulli linked a pull request Dec 2, 2022 that will close this issue
EvlWatcher version 2.1.6 (Release Dec 2023) #108
Merged
@devnulli devnulli removed a link to a pull request Dec 2, 2022
EvlWatcher version 2.1.6 (Release Dec 2023) #108
Merged
@devnulli devnulli added not reproducable issue cant be reproduced, or question needed for reproduction have not been answered for a while and removed question thats a question waiting this issue is blocked and is waiting for a reply or clarification by the issuer (or be closed in 1m) labels Nov 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not reproducable issue cant be reproduced, or question needed for reproduction have not been answered for a while
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@P-a-d-r-a-i-g @devnulli