Windows
NxLog 的“和”邏輯
我目前在各種域控制器上執行 NxLog,以提取登錄/註銷事件。
Exec if $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \ else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \ else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
雖然上面的配置工作正常,但事實上它忽略了帶有 $ 的使用者名以及我指定的使用者名,我只想忽略其中包含這些使用者名的事件 id 4624,所以我仍然可以看到失敗的登錄。我認為以下配置可以工作,但我不斷收到語法錯誤。
Exec if ($EventID == 4624 and $TargetUserName =~ /(\S+\$|user1|user2|user3|user4)/ drop(); \ else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \ else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
任何幫助將不勝感激。
**編輯:**為了完整起見,下面是我的最終配置,以排除其中包含 $ 的使用者名,然後在各種我不關心的健談的帳戶上成功/Kerb 事件。
Exec if $TargetUserName =~ /(\S+\$)/ drop(); \ else if ($EventID == 4624 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \ else if ($EventID == 4648 and $TargetUserName =~ /(user1|user2|user3|user4)/) drop(); \ else if ($EventID == 4624 or $EventID == 4625 or $EventID == 4648 or $EventID == 4768) $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", Keyword:" + $Status + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress; \ else if $raw_event =~ /^(.+)(Detailed Authentication Information:|Additional Information:)/ $raw_event = $1; if $raw_event =~ s/\t/ /g {}
語法錯誤的原因是您的括號未正確配對。它應該是這樣的:
Exec if ($EventID == 4624 ... ) drop(); ^ ^