Windows

NxLog 的“和”邏輯

  • January 17, 2017

我目前在各種域控制器上執行 NxLog,以提取登錄/註銷事件。

Exec if $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
    else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
    else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}

雖然上面的配置工作正常,但事實上它忽略了帶有 $ 的使用者名以及我指定的使用者名,我只想忽略其中包含這些使用者名的事件 id 4624,所以我仍然可以看到失敗的登錄。我認為以下配置可以工作,但我不斷收到語法錯誤。

Exec if ($EventID == 4624 and $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \
    else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
    else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}

任何幫助將不勝感激。

**編輯:**為了完整起見,下面是我的最終配置,以排除其中包含 $ 的使用者名,然後在各種我不關心的健談的帳戶上成功/Kerb 事件。

Exec if $TargetUserName =~ /(\S+\$)/ drop(); \
    else if ($EventID == 4624 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
    else if ($EventID == 4648 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \
    else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \
    else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/  /g {}

語法錯誤的原因是您的括號未正確配對。它應該是這樣的:

Exec if ($EventID == 4624 ... ) drop(); 
       ^                     ^

引用自:https://serverfault.com/questions/826606