12:54 Logging windows eventlog and notification system for administrators | |
A certain amount of time (three years) ago, in an attempt to find a way to export Windows EventLog, was found opportunity in a convenient way to carry out an audit of various events occurring on the server. Microsoft for its "good" technology has made Windows virtually incompatible with standard system event logging (syslog), but left a small loophole that can be used. The loophole is a combination of SNMP trap and export programs in the system event evntwin. To work ligaments need customized snmptrapd, as well as activated SNMP service on windows server (added via "Add / Remove Features"). The first step is to configure the server to which messages will be dropped from the Eventlog. After the service is configured, run the program evntwin.exe technet.microsoft.com/en-us/library/cc759390% 28WS.10% 29.aspx As it looks seen on the following screenshot. The principle of using evntwin simple. You select a category and event code that interest you and add them to the list. When an event message at the same time will be saved in the EventLog, and will also "trapnuto" on the monitor server. The server monitoring snmptrapd.conf need to add a line to the handler.
handler itself is written me in perl, the code can take the link trapd.pl (Do not copy-paste the highlighted code from the post, better take the link). It parses the incoming trap messages, and generates a letter to administrators. #! / Usr / bin / perl use vars qw / $ hostname $ source $ oid @ data $ trap $ error /; my @ indata = ( ); $ trap-> {hostname} = shift (@ indata); $ trap-> {source} = shift (@ indata); $ trap-> {uptime} = shift (@ indata); (undef, $ trap-> {uptime}) = split (/ /, $ trap-> {uptime}, 2); $ trap-> { oid} = shift (@ indata); open OUT ,">>/ var / log / snmptrapd.log "; chomp ($ trap-> {hostname}); chomp ($ trap-> {source}); chomp ($ trap-> {uptime}); chomp ($ trap-> {oid}); print OUT "Hostname: $ trap-> {hostname} \ n"; print OUT "Source: $ trap-> {source} \ n"; print OUT "Uptime: $ trap-> ; {uptime} \ n "; $ trap-> {oid} = ~ s /(.*) \. (\ d +)$/$ 2 / g; print OUT" OID: $ trap-> {oid} \ n "; my $ str = join ("",indata); $ str = ~ s / \ t + | \ r + | \" / / g; $ str = ~ s / \ n + / \ n / g; my @ data = split (/ SNMPv2 \-SMI \: \: enterprises \ .311 \ .1 \ .13 \ .1 \ .9999 \. \ d + \. \ s /, $ str); undef $ error; my $ part = $ data [1]; my @ str = split (/ \ n /, $ part); $ trap-> {subject} = $ str []; $ trap-> {subject} = ~ s / \ :$//; $ error = "Hostname: $ trap-> {hostname} \ n"; $ error .= "Source: $ trap-> {source} \ n \ n"; foreach my $ line (@ str) { if ($ line = ~ /^(.*) \: \ - /) { next; } else { push (@ arrout, $ line); } } $ error .= join ("\ n", @ arrout ); print OUT @ data, "\ n"; & mail_send; close OUT; exit (); sub mail_send { # my @ arr = shift; use Net:: SMTP; $ smtp = Net:: SMTP-> new ('localhost'); $ smtp-> mail ('security@nagios.mydomain.ru'); $ smtp-> to ('account_admin@mydomain.ru'); $ smtp-> data (); $ smtp-> datasend ("To: account_admin \ @ mydomain.ru \ n"); $ smtp-> datasend ("Subject: $ trap-> {subject} \ n"); $ smtp-> datasend ("\ n"); $ smtp-> datasend ($ error); $ smtp-> dataend (); $ smtp-> ; quit; } As a result we now have such beautiful letters Hostname: bdc.mydoman.ru Source: UDP: [192.168.0.3]: 1081 Change Password Attempt: Target Account Name: pupkin_v Target Domain: MYDOM Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-2675} Caller User Name: pupkin_v Caller Domain: MYDOM Caller Logon ID: (0x0, 0x39B1BD) Hostname: sadc.mydomain.ru Source: UDP: [192.168.0.4] : 1074 User Account Locked Out: Target Account Name: ivanov_v Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-5229} Caller Machine Name: MX Caller User Name: SADC $ Caller Domain: MYDOM Caller Logon ID: (0x0, 0x3E7) Hostname: sadc.mydomain.ru Source: UDP: [192.168.0.4]: 1072 Logon Failure: Reason: Unknown user name or bad password User Name: Popov_V Domain: MYDOM Logon Type: 3 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: SADC Caller User Name: SADC $ Caller Domain: MYDOM Caller Logon ID: (0x0, 0x3E7) Caller Process ID: 580 Source Network Address: 192.168.0.20 Source Port: 36018 Since we have signed only on interesting posts We do not see the rest of the system of garbage from EventLog. Very useful, this system during viral epidemics such as Kido, when just can not understand where all went to reproduce or bruteforce system passwords. Because it is clearly visible Logon Failure and the name of the machine which was unsuccessful attempt. Good work to you. PS: ready configuration with a given category in the screenshot is here © Aborche 2009 <<>> | |
|
Total comments: 0 | |