通过Sysmon+Nxlogs收集Windows Server 2012服务器日志-并以Syslog形式发送Json格式数据至SIEM

0x01 环境介绍

Windows Server 2012 已经安装部署好了域控,目的除了收集Windows服务器本身的日志外还收集域控环境下的各种日志。

0x02 Nxlog配置和使用

0x03 安装Sysmon

0x04 开启Windows服务器审核策略

0x05 修改Nxlog配置文件

  • 本次是需要收集Windows服务器System,Security,Application,Sysmon,Powershell的相关日志
  • 配置文件详情
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension json>
Module xm_json
</Extension>
<Extension _syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets gbk, iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
<Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>
<Output out>
Module om_udp
Host 192.168.50.20
Port 536
Exec $EventTime = integer($EventTime) / 1000000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>

0x06 SIEM平台确认日志接收情况

image

  • 这里接收过来的日志需要先使用grok解析为json格式,然后再解析json,生成每个字段,然后基于字段进行日常安全运营配置相关策略进行告警。
  • 使用到的Grok语法
.+]: %{GREEDYDATA:windows2012_json}
  • 原始日志
<14>Feb 23 21:20:20 SHUNANDC2012.shunanatomic.com Microsoft-Windows-Security-Auditing[512]: {"EventTime":1677158419,"Hostname":"SHUNANDC2012.shunanatomic.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":516532,"ProcessID":512,"ThreadID":4984,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-18\r\n\t帐户名:\t\tSHUNANDC2012$\r\n\t帐户域:\t\tSHUNANATOMIC\r\n\t登录 ID:\t\t0xBB2EC6\r\n\r\n登录类型:\t\t\t3\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中,登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-18","TargetUserName":"SHUNANDC2012$","TargetDomainName":"SHUNANATOMIC","TargetLogonId":"0xbb2ec6","LogonType":"3","EventReceivedTime":1677158420,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}
  • 进行Json格式解析
    image
    image

0x07 SIEM平台效果展示

image
image
image


0x08 更新nxlog日志发送至华为平台

nxlog配置模板

  • 此nxlog配置,可以直接在Windows环境下安装成功之后,将发送的IP地址更改为自己实际的IP地址,然后重启服务即可使用。
## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/
## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.
define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
#define LOGFILE C:\Program Files (x86)\nxlog\data\nxlog.log
#<Extension fileop>
#Module xm_fileop
## Check the size of our log file every hour and rotate if it is larger than 1Mb
#<Schedule>
#Every 1 hour
#Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 2);
#</Schedule>
## Rotate our log file every week on sunday at midnight
#<Schedule>
#When @weekly
#Exec file_cycle('%LOGFILE%', 2);
#</Schedule>
#</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="System">*</Select>
</Query>
<Query Id="1">
<Select Path="Security">*</Select>
</Query>
<Query Id="2">
<Select Path="Application">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
$raw_event = "0|EventlogType=" +$Channel +
"|DetectTime=" +$EventTime +
"|EventSource=" +$SourceName +
"|EventID=" +$EventID +
"|EventType=" +$EventType +
"|EventCategory="+$Task +
"|User=" +$AccountName+
"|ComputerName=" +$Hostname +
"|Description=" +$Message;
</Exec>
# Exec log_info("raw event is: " + $raw_event);
</Input>
<Input in2>
Module im_file
File 'C:\Program Files (x86)\Tencent\RTXServer\Logs\Security\*'
SavePos TRUE
ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "abc" ' + $raw_event;
#Exec log_info("raw event 2 is: " + $raw_event);
</Input>
#<Input in3>
#Module im_file
#File 'C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log\20151217_130836\\*.log'
#SavePos TRUE
#ReadFromLast TRUE
#Exec $raw_event = 'DbAppSOCAgent get log from "sqlserver" ' + $raw_event;
#Exec log_info("raw event 3 is: " + $raw_event);
#</Input>
<Output out>
Module om_udp
Host 10.11.8.10
Port 514
</Output>
<Route udp1>
# Path eventlog,in2,in3 => out
Path eventlog,in2 => out
</Route>
posted @   皇帽讲绿帽带法技巧  阅读(1141)  评论(2编辑  收藏  举报
点击右上角即可分享
微信分享提示