I have currently added syslog to my cacti 1.0.3 installation. Debian box running syslog-ng, is up and running collecting those alerts from various devices, along with mail functionality. Where I need assistance, is creating the filter for the logon (event id 4624) / logoff (event id 4634) alerts from my windows servers, to generate an email for that specific event.
Below is a sample of a logon captured by the server.
Being that with windows, sometimes the machine itself would generate a login event such as the below:-Feb 24 08:28:09 2017 4624 Microsoft-Windows-Security-Auditing N/A Audit Success my.host.com 12544 An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: LAB01$
Account Domain: VIRTUAL
Logon ID: 0x3e7
Logon Type: 10
New Logon:
Security ID: S-1-5-21-2126451634-153754298-638672422-34288
Account Name: labrat
Account Domain: VIRTUAL
Logon ID: 0x8cc967
Logon GUID: {4BBEA43E-22B6-4197-F40D-A6440017E70E}
Process Information:
Process ID: 0xbfc
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: LAB01
Source Network Address: 192.168.0.13
Source Port: 54607
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
Can anyone define what an ideal way to generate the filter would be ? I'm not 100% on how to leverage the 'string match type' option to filter specific portions of the message, so if anyone has any ideas or things i can try would be grateful.Feb 24 06:34:48 2017 4624 Microsoft-Windows-Security-Auditing N/A Audit Success my.host.com 12544 An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-18
Account Name: LAB01$
Account Domain: VIRTUAL
Logon ID: 0x85dc02
Logon GUID: {C50E8D39-BBEF-AA44-92CA-6CA3A858CDDC}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or
- 'string match type' for syslog filtering
- cacti01.png (15.06 KiB) Viewed 1851 times
event id (4624)
logon type (10)
process name (winlogon.exe)
All help is appreciated.
