0x01 环境介绍
Windows Server 2012 已经安装部署好了域控,目的除了收集Windows服务器本身的日志外还收集域控环境下的各种日志。
0x02 Nxlog配置和使用
0x03 安装Sysmon
0x04 开启Windows服务器审核策略
0x05 修改Nxlog配置文件
本次是需要收集Windows服务器System,Security,Application,Sysmon,Powershell的相关日志
配置文件详情
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define CERTDIR % ROOT% \cert
define CONFDIR % ROOT% \conf\nxlog.d
define LOGDIR % ROOT% \data
include % CONFDIR% \\* .conf
define LOGFILE % LOGDIR% \nxlog.log
LogFile % LOGFILE%
Moduledir % ROOT% \modules
CacheDir % ROOT% \data
Pidfile % ROOT% \data\nxlog.pid
SpoolDir % ROOT% \data
< Extension json>
Module xm_json
< / Extension>
< Extension _syslog>
Module xm_syslog
< / Extension>
< Input internal>
Module im_internal
< / Input>
< Extension _charconv>
Module xm_charconv
AutodetectCharsets gbk, iso8859-2 , utf-8 , utf-16 , utf-32
< / Extension>
< Extension _exec>
Module xm_exec
< / Extension>
< Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5 MB
< Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%' ) and \
(file_size('%LOGFILE%' ) >= 5 M)) \
file_cycle('%LOGFILE%' , 8 );
< / Schedule>
< Schedule>
When @weekly
Exec if file_exists('%LOGFILE%' ) file_cycle('%LOGFILE%' , 8 );
< / Schedule>
< / Extension>
< Input eventlog>
Module im_msvistalog
Query < QueryList> \
< Query Id= "0"> \
< Select Path= "Application"> * < / Select > \
< Select Path= "System"> * < / Select > \
< Select Path= "Security"> * < / Select > \
< Select Path= "Microsoft-Windows-Sysmon/Operational"> * < / Select > \
< Select Path= "Microsoft-Windows-PowerShell/Operational"> * < / Select > \
< / Query> \
< / QueryList>
Exec if ($EventID = = 5156 ) OR ($EventID = = 5158 ) drop ();
< / Input>
< Output out >
Module om_udp
Host 192.168 .50 .20
Port 536
Exec $EventTime = integer ($EventTime) / 1000000 ;
Exec $EventReceivedTime = integer ($EventReceivedTime) / 1000000 ;
Exec $Message = to_json(); to_syslog_bsd();
< / Output>
< Route 1 >
Path eventlog, internal = > out
< / Route>
0x06 SIEM平台确认日志接收情况
这里接收过来的日志需要先使用grok解析为json格式,然后再解析json,生成每个字段,然后基于字段进行日常安全运营配置相关策略进行告警。
使用到的Grok语法
.+]: %{GREEDYDATA:windows2012_json}
< 14 > Feb 23 21 :20 :20 SHUNANDC2012 .shunanatomic.com Microsoft - Windows - Security - Auditing [512 ]: {"EventTime" :1677158419 ,"Hostname" :"SHUNANDC2012.shunanatomic.com" ,"Keywords" :- 9214364837600034816 ,"EventType" :"AUDIT_SUCCESS" ,"SeverityValue" :2 ,"Severity" :"INFO" ,"EventID" :4634 ,"SourceName" :"Microsoft-Windows-Security-Auditing" ,"ProviderGuid" :"{54849625-5478-4994-A5BA-3E3B0328C30D}" ,"Version" :0 ,"Task" :12545 ,"OpcodeValue" :0 ,"RecordNumber" :516532 ,"ProcessID" :512 ,"ThreadID" :4984 ,"Channel" :"Security" ,"Message" :"已注销帐户。\r \n \r \n 使用者:\r \n \t 安全 ID:\t \t S-1-5-18\r \n \t 帐户名:\t \t SHUNANDC2012$\r \n \t 帐户域:\t \t SHUNANATOMIC\r \n \t 登录 ID:\t \t 0xBB2EC6\r \n \r \n 登录类型:\t \t \t 3\r \n \r \n 在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中,登录 ID 是唯一的。" ,"Category" :"注销" ,"Opcode" :"信息" ,"TargetUserSid" :"S-1-5-18" ,"TargetUserName" :"SHUNANDC2012$" ,"TargetDomainName" :"SHUNANATOMIC" ,"TargetLogonId" :"0xbb2ec6" ,"LogonType" :"3" ,"EventReceivedTime" :1677158420 ,"SourceModuleName" :"eventlog" ,"SourceModuleType" :"im_msvistalog" }
进行Json格式解析
0x07 SIEM平台效果展示
0x08 更新nxlog日志发送至华为平台
nxlog配置模板
此nxlog配置,可以直接在Windows环境下安装成功之后,将发送的IP地址更改为自己实际的IP地址,然后重启服务即可使用。
define ROOT C:\Program Files\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input eventlog>
Module im_msvistalog
ReadFromLast TRUE
<QueryXML>
<QueryList>
<Query Id="0" >
<Select Path="System" >*</Select>
</Query>
<Query Id="1" >
<Select Path="Security" >*</Select>
</Query>
<Query Id="2" >
<Select Path="Application" >*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
$raw_event = "0|EventlogType=" +$Channel +
"|DetectTime=" +$EventTime +
"|EventSource=" +$SourceName +
"|EventID=" +$EventID +
"|EventType=" +$EventType +
"|EventCategory=" +$Task +
"|User=" +$AccountName +
"|ComputerName=" +$Hostname +
"|Description=" +$Message ;
</Exec>
</Input>
<Input in2>
Module im_file
File 'C:\Program Files (x86)\Tencent\RTXServer\Logs\Security\*'
SavePos TRUE
ReadFromLast TRUE
</Input>
<Output out>
Module om_udp
Host 10.11 .8.10
Port 514
</Output>
<Route udp1>
Path eventlog,in2 => out
</Route>
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步