LabTech Support Forums

RDP Attack detection

This forum is for discussion of monitor related issues.

Moderator: jware.connectwise

RDP Attack detection

Postby charlesa.infinitesys » Wed Jul 20, 2016 11:54 am

Hello,

Labtech support said they don't use h_eventlogs anymore. I'm trying to update this monitor: viewtopic.php?f=101&t=17840#/

I know how to create a custom monitor to look for an event id in the eventlogs table and I believe I have the straight SQL working for the sqlyog.

Code: Select all
SELECT computerid,eventid, COUNT(*) FROM eventlogs WHERE logname = 'Security' AND eventid = '4625' GROUP BY computerid HAVING COUNT(*) > 5;


but I'm struggling with getting it to work in the monitor

table: eventlogs
field: eventid
check condition: equals
result: 4625
identity field: message (though this might need to be something else)

additional condition:

select eventlogs.computerid group by eventlogs.computerid HAVING COUNT(*) > 5;

--

I am still a beginner at SQL and creating monitors, I was wondering if anyone could help point me in the right direction.

Thanks
charlesa.infinitesys
Newbie
Newbie
 
Posts: 34
Joined: Thu Oct 17, 2013 12:43 pm

Return to Monitors

Who is online

Users browsing this forum: No registered users and 3 guests

cron