Site menu
Login form
Our poll
Rate my site
Результаты | Архив опросов
Всего ответов: 8
Site friends
  • Create a free website
    • Statistics
    Онлайн всего: 4
    Гостей: 4
    Пользователей: 0
    Main » 2011 » Март » 16 » Logging windows eventlog and notification system for administrators
    12:54
    Logging windows eventlog and notification system for administrators
    A certain amount of time (three years) ago, in an attempt to find a way to export Windows EventLog, was found opportunity in a convenient way to carry out an audit of various events occurring on the server.

    Microsoft for its "good" technology has made Windows virtually incompatible with standard system event logging (syslog), but left a small loophole that can be used.
    The loophole is a combination of SNMP trap and export programs in the system event evntwin.

    To work ligaments need customized snmptrapd, as well as activated SNMP service on windows server (added via "Add / Remove Features").

    The first step is to configure the server to which messages will be dropped from the Eventlog.

    After the service is configured, run the program evntwin.exe
    technet.microsoft.com/en-us/library/cc759390% 28WS.10% 29.aspx
    As it looks seen on the following screenshot.




    The principle of using evntwin simple. You select a category and event code that interest you and add them to the list. When an event message at the same time will be saved in the EventLog, and will also "trapnuto" on the monitor server.

    The server monitoring snmptrapd.conf need to add a line to the handler.
    1. AuthCommunity log, execute public
    2. format1 Trap from% B
    3. format2 Trap from% B
    4. traphandle default / usr / local / etc / trapd.pl


    handler itself is written me in perl, the code can take the link trapd.pl (Do not copy-paste the highlighted code from the post, better take the link). It parses the incoming trap messages, and generates a letter to administrators.

    #! / Usr / bin / perl
     
    use vars qw / $ hostname $ source $ oid @ data $ trap $ error /;
     
    my @ indata = (
    );
    $ trap-> {hostname} = shift (@ indata);
    $ trap-> {source} = shift (@ indata);
    $ trap-> {uptime} = shift (@ indata);
    (undef, $ trap-> {uptime}) = split (/ /, $ trap-> {uptime}, 2);
    $ trap-> { oid} = shift (@ indata);
    open OUT ,">>/ var / log / snmptrapd.log ";
    chomp ($ trap-> {hostname});
    chomp ($ trap-> {source});
    chomp ($ trap-> {uptime});
    chomp ($ trap-> {oid});
    print OUT "Hostname: $ trap-> {hostname} \ n";
    print OUT "Source: $ trap-> {source} \ n";
    print OUT "Uptime: $ trap-> ; {uptime} \ n ";
    $ trap-> {oid} = ~ s /(.*) \. (\ d +)$/$ 2 / g;
    print OUT" OID: $ trap-> {oid} \ n ";
    my $ str = join ("",indata);
    $ str = ~ s / \ t + | \ r + | \" / / g;
    $ str = ~ s / \ n + / \ n / g;
    my @ data = split (/ SNMPv2 \-SMI \: \: enterprises \ .311 \ .1 \ .13 \ .1 \ .9999 \. \ d + \. \ s /, $ str);
    undef $ error;
    my $ part = $ data [1];
    my @ str = split (/ \ n /, $ part);
    $ trap-> {subject} = $ str [];
    $ trap-> {subject} = ~ s / \ :$//;
    $ error = "Hostname: $ trap-> {hostname} \ n";
    $ error .= "Source: $ trap-> {source} \ n \ n";
    foreach my $ line (@ str)
      {
      if ($ line = ~ /^(.*) \: \ - /)
        {
      next;
      }
      else
        {
      push (@ arrout, $ line);
    }
    }
    $ error .= join ("\ n", @ arrout );
    print OUT @ data, "\ n";
     
    & mail_send;
    close OUT;
     
    exit ();
    sub mail_send
    {
    # my @ arr = shift;
    use Net:: SMTP;
    $ smtp = Net:: SMTP-> new ('localhost');
    $ smtp-> mail ('security@nagios.mydomain.ru');
    $ smtp-> to ('account_admin@mydomain.ru');
    $ smtp-> data ();
    $ smtp-> datasend ("To: account_admin \ @ mydomain.ru \ n");
    $ smtp-> datasend ("Subject: $ trap-> {subject} \ n");
    $ smtp-> datasend ("\ n");
    $ smtp-> datasend ($ error);
    $ smtp-> dataend ();
    $ smtp-> ; quit;
     

    }
    As a result we now have such beautiful letters
    Hostname: bdc.mydoman.ru

    Source: UDP: [192.168.0.3]: 1081
    Change Password Attempt:
    Target Account Name: pupkin_v
    Target Domain: MYDOM
    Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-2675}
    Caller User Name: pupkin_v
    Caller Domain: MYDOM

    Caller Logon ID: (0x0, 0x39B1BD)
    Hostname: sadc.mydomain.ru

    Source: UDP: [192.168.0.4] : 1074
    User Account Locked Out:
    Target Account Name: ivanov_v
    Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-5229}
    Caller Machine Name: MX
    Caller User Name: SADC $
    Caller Domain: MYDOM

    Caller Logon ID: (0x0, 0x3E7)
    Hostname: sadc.mydomain.ru

    Source: UDP: [192.168.0.4]: 1072
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Popov_V
    Domain: MYDOM
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: SADC
    Caller User Name: SADC $
    Caller Domain: MYDOM
    Caller Logon ID: (0x0, 0x3E7)
    Caller Process ID: 580
    Source Network Address: 192.168.0.20

    Source Port: 36018
    Since we have signed only on interesting posts We do not see the rest of the system of garbage from EventLog.

    Very useful, this system during viral epidemics such as Kido, when just can not understand where all went to reproduce or bruteforce system passwords. Because it is clearly visible Logon Failure and the name of the machine which was unsuccessful attempt.
    Good work to you.

    PS: ready configuration with a given category in the screenshot is here
    © Aborche 2009 <<>>
    Views: 787 | Added by: w1zard | Rating: 0.0/0
    Total comments: 0
    Имя *:
    Email *:
    Код *: