Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Fri Jun 23, 2017 8:49 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Syslog + Windows Event Log + Logon/Logoff
PostPosted: Fri Feb 24, 2017 8:18 am 
Offline

Joined: Fri Feb 24, 2017 7:41 am
Posts: 1
Hi All,

I have currently added syslog to my cacti 1.0.3 installation. Debian box running syslog-ng, is up and running collecting those alerts from various devices, along with mail functionality. Where I need assistance, is creating the filter for the logon (event id 4624) / logoff (event id 4634) alerts from my windows servers, to generate an email for that specific event.

Below is a sample of a logon captured by the server.

Quote:
Feb 24 08:28:09 2017 4624 Microsoft-Windows-Security-Auditing N/A Audit Success my.host.com 12544 An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: LAB01$
Account Domain: VIRTUAL
Logon ID: 0x3e7

Logon Type: 10

New Logon:
Security ID: S-1-5-21-2126451634-153754298-638672422-34288
Account Name: labrat
Account Domain: VIRTUAL

Logon ID: 0x8cc967
Logon GUID: {4BBEA43E-22B6-4197-F40D-A6440017E70E}

Process Information:
Process ID: 0xbfc
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: LAB01
Source Network Address: 192.168.0.13
Source Port: 54607

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.


Being that with windows, sometimes the machine itself would generate a login event such as the below:-

Quote:
Feb 24 06:34:48 2017 4624 Microsoft-Windows-Security-Auditing N/A Audit Success my.host.com 12544 An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: S-1-5-18
Account Name: LAB01$
Account Domain: VIRTUAL
Logon ID: 0x85dc02
Logon GUID: {C50E8D39-BBEF-AA44-92CA-6CA3A858CDDC}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:
Source Network Address: ::1
Source Port: 0

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or


Can anyone define what an ideal way to generate the filter would be ? I'm not 100% on how to leverage the 'string match type' option to filter specific portions of the message, so if anyone has any ideas or things i can try would be grateful.
Attachment:
File comment: 'string match type' for syslog filtering
cacti01.png
cacti01.png [ 15.06 KiB | Viewed 596 times ]


One variance i did notice in the messages that mayhelp is if the filter could look for the following attributes:-

event id (4624)
logon type (10)
process name (winlogon.exe)

All help is appreciated.


Top
 Profile  
 
 Post subject: Re: Syslog + Windows Event Log + Logon/Logoff
PostPosted: Sat Mar 11, 2017 9:01 pm 
Offline
Cacti User
User avatar

Joined: Mon Jan 05, 2015 10:10 am
Posts: 302
Use the SQL Expression.

_________________
Before history, there was a paradise, now dust.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group