{"id":994,"date":"2022-09-03T14:57:12","date_gmt":"2022-09-03T05:57:12","guid":{"rendered":"https:\/\/rfsec.ddns.net\/db\/?p=994"},"modified":"2022-09-08T21:55:32","modified_gmt":"2022-09-08T12:55:32","slug":"windwos-eventlog%e3%81%ae%e5%87%a6%e7%90%86","status":"publish","type":"post","link":"https:\/\/rfsec.ddns.net\/db\/?p=994","title":{"rendered":"Windwos EventLog\u306e\u51e6\u7406"},"content":{"rendered":"\n

Windows\u306eEventLog\u3092Ubuntu\u30b5\u30fc\u30d0\u30fc\u3078\u8ee2\u9001\u3057\u3066\u3001\u53ef\u8996\u5316\u7b49\u306e\u51e6\u7406\u3092\u884c\u3046\u624b\u9806\u3002<\/p>\n\n\n\n

Windows\u3078nxlog<\/a>\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3001\u74b0\u5883\u306b\u5408\u308f\u305b\u3066nxlog.conf\u3092\u7de8\u96c6\u3059\u308b\u3002<\/p>\n\n\n\n

nxlog\u306econfig\u4f8b\uff08json\u5f62\u5f0f\u3067 514\/TCP\u3067syslog\u3068\u3057\u3066\u8ee2\u9001)<\/p>\n\n\n\n

\u53c2\u8003\u306b\u3057\u305f\u60c5\u5831\uff1aNXLog\u3067Windows\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u3092syslog\u8ee2\u9001\u3057\u3066\u307f\u305f<\/a><\/p>\n\n\n\n

# NXLog Community Edition configuration file\n#\n# For more information see "C:\\Program Files (x86)\\nxlog\\conf\\nxlog.conf"\n# or latest version online at https:\/\/nxlog.co\/docs\/nxlog-ce\/nxlog-reference-manual.html\n# If you experience problems, see https:\/\/nxlog.co\/community-forum\n\n#### DEFINE ####\ndefine ROOT    C:\\Program Files\\nxlog\ndefine CERTDIR %ROOT%\\cert\ndefine CONFDIR %ROOT%\\conf\ndefine LOGDIR  %ROOT%\\data\ndefine LOGFILE %LOGDIR%\\nxlog.log\n\nModuledir %ROOT%\\modules\nCacheDir  %ROOT%\\data\nPidfile   %ROOT%\\data\\nxlog.pid\nSpoolDir  %ROOT%\\data\nLogFile   %LOGFILE%\n\n#### EXTENSION ####\n<Extension exec>\n    Module xm_exec\n<\/Extension>\n\n<Extension json>\n    Module xm_json\n<\/Extension>\n\n<Extension syslog>\n    Module xm_syslog\n<\/Extension>\n\n<Extension charconv>\n    Module xm_charconv\n    AutodetectCharsets shift_jis, utf-8\n<\/Extension>\n\n<Extension fileop>\n    Module xm_fileop\n    <Schedule>\n        Every 1 week\n        <Exec>\n            file_cycle('%LOGFILE%', 4);\n        <\/Exec>\n    <\/Schedule>\n<\/Extension>\n\n#### INPUT SECTION ####\n<Input input_application>\n    Module im_msvistalog\n    Query <QueryList><Query Id="0"><Select Path="Application">*<\/Select><\/Query><\/QueryList>\n    <Exec>\n        $Message  = to_json();\n        $Hostname = hostname();\n    <\/Exec>\n<\/Input>\n\n<Input input_security>\n    Module im_msvistalog\n    Query <QueryList><Query Id="0"><Select Path="Security">*<\/Select><\/Query><\/QueryList>\n    <Exec>\n        $Message  = to_json();\n        $Hostname = hostname();\n    <\/Exec>\n<\/Input>\n\n<Input input_system>\n    Module im_msvistalog\n    Query <QueryList><Query Id="0"><Select Path="System">*<\/Select><\/Query><\/QueryList>\n    <Exec>\n        $Message  = to_json();\n        $Hostname = hostname();\n    <\/Exec>\n<\/Input>\n\n\n#### PROCESSOR SECTION ####\n\n<Processor buffer_memory>\n    Module pm_buffer\n    Type Mem\n    MaxSize 128000\n    WarnLimit 16000\n<\/Processor>\n\n\n#### OUTPUT SECTION ####\n\n<Output output_syslog>\n    Module om_tcp\n    Host 192.168.68.73\n    Port 514\n    <Exec>\n        $SourceName          = 'NXLog';\n        $SyslogFacility      = 'local0';\n        $SyslogSeverityValue = '6';\n        to_syslog_ietf();\n    <\/Exec>\n<\/Output>\n\n\n#### ROUTE SECTION ####\n\n<Route route_application>\n    path input_application => buffer_memory => output_syslog\n<\/Route>\n\n<Route route_security>\n    path input_security => buffer_memory => output_syslog\n<\/Route>\n\n<Route route_system>\n    path input_system => buffer_memory => output_syslog\n<\/Route>\n<\/code><\/pre><\/div>\n\n\n\n
EventID\u3067\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3059\u308b\u4f8b<\/strong><\/p>\n\n\n\n
define AccountUsage        4740, 4648, 4781, 4733, 1518, 4776, 5376, 5377, \\\n                           4767, 4728, 4732, 4756, 4704, 4672, 4624\n\n\uff5b\u3000\u4e2d\u7565\u3000\uff5d\n\n#### INPUT SECTION ####\n\n<Input eventlog>\n    Module          im_msvistalog\n    <QueryXML>\n        <QueryList>\n            <Query Id='0'>\n                <Select Path='Security'>*<\/Select>\n            <\/Query>\n        <\/QueryList>\n    <\/QueryXML>\n    <Exec>\n        if ($EventID NOT IN (%AccountUsage%)) drop();\n        $Message  = to_json();\n        $Hostname = hostname();\n    <\/Exec>\n<\/Input><\/code><\/pre><\/div>\n\n\n\n
Ubuntug\u5074\u3067514\/TCP\u3092\u53d7\u4fe1\u3057\u3001WindowsPC(192.168.68.52)\u304b\u3089\u53d7\u4fe1\u3057\u305f\u60c5\u5831\u306b\u540d\u524d\uff08win.log)\u3092\u4ed8\u3057\u3066\u4fdd\u5b58\u3059\u308b\u3088\u3046\u306b\u8a2d\u5b9a(rsyslog.conf)<\/p>\n\n\n\n
module(load=”imtcp”)
input(type=”imtcp” port=”514″)<\/p>\n\n\n\n
:fromhost-ip, isequal, “192.168.68.52” \/var\/log\/win.log <\/p>\n\n\n\n
<\/p>\n\n\n\n
python\u3067json\u5f62\u5f0f\u306eWindows EventLog\u3092\u4e00\u6642\u51e6\u7406<\/p>\n\n\n\n
cat \/var\/log\/syslog | grep -a EventTime \u306e\u51fa\u529b\u3092\u3001\u6b21\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u30c6\u30ad\u30b9\u30c8\u5316<\/p>\n\n\n\n
mport sys\nimport json\nimport traceback\nn=0\nfor line in sys.stdin:\n        n=line.find('{"E')\u3000# \u6587\u5b57\u5217 {"E\u306e\u4f4d\u7f6e\u3092\u5f97\u308b\n        tmp=line[n:]\n        m=tmp.find('#')\u3000# {"E \u304b\u3089 #\u3000\u306e\u90e8\u5206\u6587\u5b57\u5217\u304cEventLog\u306e\u672c\u4f53\n        tmp=tmp[0:m]\n        try:\n                di = json.loads(tmp)\n                n=n+1\n                for k, v in di.items():\n                        print(f'{k}:{v}')\n        except: # \u30a8\u30e9\u30fc\u60c5\u5831\u306e\u8868\u793a\uff08\u30c7\u30d0\u30c3\u30b0\u7528\uff09\n                t = traceback.format_exc()\n                print(t)\n                if tmp!='':\n                        print('-----------------')\n                        print(tmp)\n                        print('-----------------')\n\nprint('Total lines:',n)<\/code><\/pre><\/div>\n\n\n\n
PHP\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u4f8b<\/p>\n\n\n\n
<?php\nwhile($line= fgets(STDIN)){\n\t$p=strpos($line,'{"E');\n\t$tmp=substr($line,$p);\n\t$p=strpos($tmp,'#');\n\t$json=substr($tmp,0,$p);\n\t#echo "$json\\n";\n\t$lines=json_decode($json);\n\tforeach ($lines as $key => $var){\n\t\techo "$key,$var\\n";\n\t}\n}\n?><\/code><\/pre><\/div>\n\n\n\n
\u30a4\u30d9\u30f3\u30c8ID\u3092\u6307\u5b9a<\/strong><\/p>\n\n\n\n
<Input eventlog>\n# Uncomment im_msvistalog for Windows Vista\/2008 and later\nModule im_msvistalog\n    Query <QueryList>\u00a5\n    <Query Id=\u201d0\u2033>\u00a5\n            <Select Path=\u2019Security\u2019>*[System[(EventID=\u20194663\u2032) ]]<\/Select>\u00a5\n            <Select Path=\u2019Security\u2019>*[System[(EventID=\u20194656\u2032) ]]<\/Select>\u00a5 \n            <Select Path=\u2019Security\u2019>*[System[(EventID=\u20194658\u2032) ]]<\/Select>\u00a5\n        <\/Query>\u00a5\n<\/QueryList>\n# Uncomment im_mseventlog for Windows XP\/2000\/2003\n#   Module im_mseventlog\n<\/Input><\/code><\/pre><\/div>\n","protected":false},"excerpt":{"rendered":"
Windows\u306eEventLog\u3092Ubuntu\u30b5\u30fc\u30d0\u30fc\u3078\u8ee2\u9001\u3057\u3066\u3001\u53ef\u8996\u5316\u7b49\u306e\u51e6\u7406\u3092\u884c\u3046\u624b\u9806\u3002 Windows\u3078nxlog\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3001\u74b0\u5883\u306b\u5408\u308f\u305b\u3066nxlog.conf\u3092\u7de8\u96c6\u3059\u308b\u3002 nxlog\u306econfig\u4f8b\uff08jso […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-994","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"featured_image_src":null,"author_info":{"display_name":"mars","author_link":"https:\/\/rfsec.ddns.net\/db\/?author=1"},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=994"}],"version-history":[{"count":7,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/994\/revisions"}],"predecessor-version":[{"id":1006,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=\/wp\/v2\/posts\/994\/revisions\/1006"}],"wp:attachment":[{"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rfsec.ddns.net\/db\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}