1.配置WEF

1.配置WEF
  • 我們有一台 SCOM 2012 伺服器。

  • 我們有 SNARE 代理來確保 PCI 合規性,但現在我們希望透過使用其本機功能收集所有 Windows 伺服器的所有事件來節省資金

  • 我們還有一個運行 SYSLOG 的集中式 Linux 伺服器,它將日誌聚合到我們的日誌保留裝置(這全部用於 PCI 目的)

因此,我的問題是:

Windows 伺服器 (SCOM 2012) 可以將事件日誌轉送至 Linux 系統日誌伺服器嗎?我認為這會透過遵循標準平面文件格式或類似的格式來發生。

謝謝

答案1

您需要使用 Syslog 代理,因為 Windows 不提供該代理。

...Windows 作業系統不包含能夠將系統日誌資料傳送到系統日誌伺服器的系統日誌代理程式。如果沒有系統日誌代理,Windows 作業系統不僅無法將系統日誌訊息傳送到系統日誌伺服器,也無法從 Windows 作業系統中執行的任何應用程式(例如 Web 伺服器或資料庫)傳送系統日誌訊息。

來源

來源頁面和Google搜尋“Windows Syslog Agent”提供許多不同的 Syslog 代理您可以嘗試。

答案2

您可以嘗試在 Linux 伺服器上使用 NXLog 從 Windows 接收本機 WEF 事件並將它們轉送到 syslog 伺服器,因為 NXLog 有社群版本。我目前沒有資源來嘗試這個。如果 NXLog 足夠聰明,可以在轉發到 syslog 之前將 WEF 轉換為文本,那麼它可能會起作用,否則它可能會將二進位雜訊噴射到 syslog 中。如果有效請報告:

1.配置WEF

[ https://adamtheautomator.com/windows-event-collector/ ]

  • 透過群組原則管理主控台建立 GPO。在 GPO 內部,導覽至電腦設定 → 策略 → 管理範本 → Windows 元件 → 事件轉送 → 設定目標訂閱管理員。
  • 將目標訂閱管理員的值設定為收集器上的 WinRM 終端點。您將伺服器設定為以下格式:
    • 伺服器=http://主機名稱:5985/wsman/SubscriptionManager/WEC,刷新=60

2.配置NXLog:

(傳送到 NXLog 的 WEF 設定是從這裡,但請參閱此 SE 答案底部的我的配置以進行實際轉發)

建立並對應 Active Directory 網域用戶

為了讓 Linux 電腦上的 WEC 伺服器能夠使用 Kerberos 驗證,需要在 Active Directory 中建立對應的使用者並將其對應到 Kerberos 主體名稱。

On the domain controller, create a new user with its logon name matching the hostname of the WEC server.

    Go to Administrative Tools > Active Directory Users and Computers > example.com > Users.

    Right click and choose New > User.

        First name: linux-wec

        Full name: linux-wec

        User logon name: linux-wec

        Set a password for the user.

        Uncheck User must change password at next logon.

        Check Password never expires.

    Right click on the new user, click Properties, and open the Account tab.

        Check This account supports Kerberos AES 128 bit encryption.

        Check This account supports Kerberos AES 256 bit encryption.

On the DNS server, create an A record for linux-wec.example.com.

    Go to Administrative Tools > DNS > Forward Lookup Zones > example.com.

    Right click and choose New Host (A or AAAA)….

    Add a record with name linux-wec and IP address 192.168.0.3.

    Check the Create associated pointer (PTR) record option.

Back on the domain controller, open a command prompt and execute these commands. Use the same <password> that was specified when the above user was created. These commands map the domain account to the Kerberos principal names and generate two keytab files containing the shared secret.

> ktpass /princ hosts/[email protected] /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out hosts-nxlog.keytab /crypto AES256-SHA1

> ktpass /princ http/[email protected] /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out http-nxlog.keytab /crypto AES256-SHA1

Copy the resulting hosts-nxlog.keytab and http-nxlog.keytab files to the WEC server.

在 WEC 伺服器上設定 Kerberos

現在已建立 Active Directory 使用者並將其對應到主體名稱,可以為 Kerberos 驗證設定 WEC 伺服器。

Confirm that the Kerberos krb5 client and utility software are installed on the WEC server. The required package can be installed with yum install krb5-workstation or apt install krb5-user.

Edit the default Kerberos configuration file, usually located at /etc/krb5.conf.

    In section [domain_realm] add:

    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

    In section [realms] add:

    EXAMPLE.COM = {
     kdc = example.com
     admin_server = example.com
    }

Use ktutil to merge the two keytab files generated above.

# ktutil
ktutil:  rkt /root/hosts-nxlog.keytab
ktutil:  rkt /root/http-nxlog.keytab
ktutil:  wkt /root/nxlog-result.keytab
ktutil:  q

Validate the merged keytab.

# klist -e -k -t /root/nxlog-result.keytab
Keytab name: FILE:/root/nxlog-result.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   5 17.01.2021 04:20:08 hosts/[email protected] (aes256-cts-hmac-sha1-96)
   4 17.01.2021 04:20:08 http/[email protected] (aes256-cts-hmac-sha1-96)

Either copy the keytab into place, or merge it if there are already keys in /etc/krb5.keytab.

    To copy the keytab:

    # cp /root/nxlog-result.keytab /etc/krb5.keytab

    To merge the keytab and validate the result:

    # ktutil
    ktutil:  rkt /etc/krb5.keytab
    ktutil:  rkt /root/nxlog-result.keytab
    ktutil:  wkt /etc/krb5.keytab
    ktutil:  q

    # klist -e -k -t /etc/krb5.keytab
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       <other entries>
       5 17.01.2021 04:20:08 hosts/[email protected] (aes256-cts-hmac-sha1-96)
       4 17.01.2021 04:20:08 http/[email protected] (aes256-cts-hmac-sha1-96)

Verify that the user account used by the NXLog service has sufficient privileges to open and read the /etc/krb5.keytab file. If not, Kerberos authentication will fail.

Test that the authentication with Active Directory is working successfully when using the keytab. Run the following command on the Linux WEC server. If the configuration is correct a ticket-granting ticket (TGT) will be created and cached. This command should be invoked with the same user that the NXLog service runs as. By default, it uses the nxlog user account.

# kinit -kt /etc/krb5.keytab http/[email protected]

Verify the ticket was obtained by running klist as the same user from the previous step:

# klist
Ticket cache: KCM:0
Default principal: http/[email protected]

Valid starting     Expires            Service principal
28/01/21 11:41:44  28/01/21 21:41:44  krbtgt/[email protected]
        renew until 04/02/21 11:41:44

#3 使用此 NXLog 配置將 Windows 代理程式到 Syslog:

# Recieve from native WEF:
<Input windows_events>
    Module              im_wseventing
    Address             https://linux-wec.example.com:5985/wsman
    ListenAddr          0.0.0.0
    Port                5985
    HTTPSCertFile       /path/to/server-cert.pem
    HTTPSCertKeyFile    /path/to/server-key.pem
    HTTPSCAFile         /path/to/ca-cert.pem
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="System">*</Select>
            </Query>
        </QueryList>
    </QueryXML>

    # Log connections for testing and troubleshooting
    LogConnections      TRUE
</Input>

# Send it to a syslog server:
<Output udp>
    Module  om_udp
    Host    192.168.1.1:514
</Output>

# (or using the syntax prior to NXLog EE 5,
# where the port is defined in a separate directive.)
#<Output udp>
#    Module  om_udp
#    Host    192.168.1.1
#    Port    514
#</Output>

# Route WEF to UDP
<Route uds_to_udp>
    Path    im_wseventing => udp
</Route>

相關內容