EvlWatcher icon indicating copy to clipboard operation
EvlWatcher copied to clipboard

Published 20 hours ago verified publisher icon devnulli

A couple feature requests

Open MadCowChicken opened this issue 2 years ago • 3 comments

Part 1

Feature request: Global config file settings for:

  • LockTime
  • EventAge
  • TriggerCount
  • PermaBanCount

Then for each type of event (RDP, SSH, FTP etc...) the same four XML elements can be present, and global settings used if they are empty.

Part 2

Also, how does the EvlWatcher Windows service work? Does it pull all Windows Security events within EventAge every time it polls the Windows Security Event Log? Or does it only do that when the service starts, and after that it only pulls events that have been created since the last polling, aggregating across multiple pollings, and dropping events if they are older than EventAge? I ask because if someone set EventAge to 10 hours expecting it to do the latter, they would probably use a different value like 10 minutes if they knew it did the former. I recommend explaining clearly how the service works in the config file.

MadCowChicken avatar Mar 27 '22 17:03 MadCowChicken

ad Part 2: changed the comment in the config.xml so that it now states:

image

devnulli avatar Mar 29 '22 19:03 devnulli

ad Part 1:

that will be implemented, as it is also how fail2ban does it (iirc)

devnulli avatar Mar 29 '22 19:03 devnulli

reopened for part 1

devnulli avatar Apr 14 '22 19:04 devnulli