Logging Windows EventLog and Alert System for Administrators
A certain amount of time (about three years ago), in an attempt to find a way to export Windows EventLog, an opportunity was found to audit various events occurring on the server in a convenient way.
Microsoft has made Windows practically incompatible with regular event logging systems (syslog) with its “good” technologies, but left a small loophole that can be used.
The loophole is a combination of SNMP trap and the evntwin system event export program.
To use the bundle, you need a configured snmptrapd, as well as an activated SNMP service on a windows server (added via “add / remove components”).
First of all, you need to configure the server to which messages from the Eventlog will be reset.
Once the service is configured, run the program evntwin.exe
technet.microsoft.com/en-us/library/cc759390%28WS.10%29.aspx
How it looks can be seen in the following screenshot.
')
The principle of using evntwin is simple. You select the category and event code that interests you and add them to the list. When an event occurs, the message will be simultaneously saved in the EventLog, and will also be “dumped” to the monitoring server.
On the monitoring server in snmptrapd.conf you need to add a line handler.
The handler itself is written by me on perl, the code can be taken from the link trapd.pl (It is not recommended to copy-paste the highlighted code from the post, it is better to take the link). It parses incoming trap messages and forms a letter to administrators.
As a result, we get these beautiful letters
Since we are only subscribed to messages that interest us, we do not see the rest of the system garbage from the EventLog.
This system is very convenient in case of virus outbreaks like Kido, when you cannot immediately understand where everything went from to reproduce or when the system passwords are brute force. Because Logon Failure is clearly visible and the name of the machine with which the attempt was unsuccessful.
Good work for you.
PS: the finished config with the categories shown in the screenshot is here
Microsoft has made Windows practically incompatible with regular event logging systems (syslog) with its “good” technologies, but left a small loophole that can be used.
The loophole is a combination of SNMP trap and the evntwin system event export program.
To use the bundle, you need a configured snmptrapd, as well as an activated SNMP service on a windows server (added via “add / remove components”).
First of all, you need to configure the server to which messages from the Eventlog will be reset.
Once the service is configured, run the program evntwin.exe
technet.microsoft.com/en-us/library/cc759390%28WS.10%29.aspx
How it looks can be seen in the following screenshot.
')
The principle of using evntwin is simple. You select the category and event code that interests you and add them to the list. When an event occurs, the message will be simultaneously saved in the EventLog, and will also be “dumped” to the monitoring server.
On the monitoring server in snmptrapd.conf you need to add a line handler.
authCommunity log,execute public format1 Trap from %B format2 Trap from %B traphandle default /usr/ local /etc/trapd.plauthCommunity log,execute public format1 Trap from %B format2 Trap from %B traphandle default /usr/ local /etc/trapd.plauthCommunity log,execute public format1 Trap from %B format2 Trap from %B traphandle default /usr/ local /etc/trapd.plauthCommunity log,execute public format1 Trap from %B format2 Trap from %B traphandle default /usr/ local /etc/trapd.pl
The handler itself is written by me on perl, the code can be taken from the link trapd.pl (It is not recommended to copy-paste the highlighted code from the post, it is better to take the link). It parses incoming trap messages and forms a letter to administrators.
#!/usr/bin/perl <br/> <br/> use vars qw / $hostname $source $oid @data $trap $error /;<br/> <br/>my @indata = (<>);<br/> $trap ->{hostname} = shift(@indata);<br/> $trap ->{source} = shift(@indata);<br/> $trap ->{uptime} = shift(@indata);<br/>(undef, $trap ->{uptime}) = split (/ /, $trap ->{uptime}, 2 );<br/> $trap ->{oid} = shift(@indata);<br/>open OUT, ">>/var/log/snmptrapd.log" ;<br/>chomp( $trap ->{hostname});<br/>chomp( $trap ->{source});<br/>chomp( $trap ->{uptime});<br/>chomp( $trap ->{oid});<br/> print OUT "Hostname: $trap->{hostname}\n" ;<br/> print OUT "Source: $trap->{source}\n" ;<br/> print OUT "Uptime: $trap->{uptime}\n" ;<br/> $trap ->{oid} =~ s/(.*)\.(\d+)$/ $2 /g;<br/> print OUT "OID: $trap->{oid}\n" ;<br/>my $str = join( "" ,@indata);<br/> $str =~ s/\t+|\r+|\" //g; <br/> $str =~ s/\n+/\n/g;<br/>my @data = split (/SNMPv2\-SMI\:\:enterprises\. 311 \. 1 \. 13 \. 1 \. 9999 \.\d+\. 0 \s/, $str );<br/>undef $error ;<br/>my $part = $data [ 1 ];<br/>my @str = split(/\n/, $part );<br/> $trap ->{subject} = $str [ 0 ];<br/> $trap ->{subject} =~ s/\:$ //; <br/> $error = "Hostname: $trap->{hostname}\n" ;<br/> $error .= "Source: $trap->{source}\n\n" ;<br/> foreach my $line (@str)<br/>{<br/> if ( $line =~ /^(.*)\:\-/)<br/> {<br/> next;<br/> }<br/> else <br/> {<br/> push(@arrout, $line );<br/> }<br/>}<br/> $error .= join ( "\n" ,@arrout);<br/> print OUT @data, "\n" ;<br/>&mail_send;<br/> <br/>close OUT;<br/> exit ( 0 );<br/> <br/>sub mail_send<br/>{<br/> # my @arr = shift; <br/> use Net::SMTP;<br/> $smtp = Net::SMTP-> new ( 'localhost' );<br/> $smtp ->mail( 'security@nagios.mydomain.ru' );<br/> $smtp ->to( 'account_admin@mydomain.ru' );<br/> $smtp ->data();<br/> $smtp ->datasend( "To: account_admin\@mydomain.ru\n" );<br/> $smtp ->datasend( "Subject: $trap->{subject}\n" );<br/> $smtp ->datasend( "\n" );<br/> $smtp ->datasend( $error );<br/> $smtp ->dataend();<br/> $smtp ->quit;<br/>}<br/> <br/>As a result, we get these beautiful letters
Hostname: bdc.mydoman.ru
Source: UDP: [192.168.0.3]: 1081
Change Password Attempt:
Target Account Name: pupkin_v
Target Domain: MYDOM
Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-2675}
Caller User Name: pupkin_v
Caller Domain: MYDOM
Caller Logon ID: (0x0,0x39B1BD)
Hostname: sadc.mydomain.ru
Source: UDP: [192.168.0.4]: 1074
User Account Locked Out:
Target Account Name: ivanov_v
Target Account ID:% {S-1-5-21-1191404879-1933194844-817656539-5229}
Caller Machine Name: MX
Caller User Name: SADC $
Caller Domain: MYDOM
Caller Logon ID: (0x0,0x3E7)
Hostname: sadc.mydomain.ru
Source: UDP: [192.168.0.4]: 1072
Logon Failure:
Reason: Unknown user name or bad password
User Name: Popov_V
Domain: MYDOM
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SADC
Caller User Name: SADC $
Caller Domain: MYDOM
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 580
Source Network Address: 192.168.0.20
Source Port: 36018
Since we are only subscribed to messages that interest us, we do not see the rest of the system garbage from the EventLog.
This system is very convenient in case of virus outbreaks like Kido, when you cannot immediately understand where everything went from to reproduce or when the system passwords are brute force. Because Logon Failure is clearly visible and the name of the machine with which the attempt was unsuccessful.
Good work for you.
PS: the finished config with the categories shown in the screenshot is here
(C) Aborche 2009
Source: https://habr.com/ru/post/65652/
All Articles