我目前在各種網域控制器上運行 NxLog,提取登入/登出事件。
Exec if $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
雖然上面的配置工作正常,但事實上它忽略了其中包含 $ 的用戶名以及我指定的用戶名,我只想忽略其中包含這些用戶名的事件 id 4624,這樣我仍然可以看到失敗的登入。我認為以下配置可以工作,但我不斷收到語法錯誤。
Exec if ($EventID == 4624 and $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
任何幫助將不勝感激。
編輯:為了完整起見,以下是我的最終配置,用於排除其中包含 $ 的用戶名,然後排除我不關心的各種聊天帳戶上的成功/Kerb 事件。
Exec if $TargetUserName =~ /(\S+\$)/ drop(); \
else if ($EventID == 4624 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
else if ($EventID == 4648 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
答案1
文法錯誤的原因是你的括號沒有正確配對。應該是這樣的:
Exec if ($EventID == 4624 ... ) drop();
^ ^