運維世界常常需要從海量資料中刪選出所需的資訊軌跡並進行技術分析.在企業環境,特別是使用者行為相關資料追述,技術上尤其難.要做到99%以上的準確性以及平臺化建設,更是難上加難.設想一下, 10萬級別使用者,每天的賬戶鎖定需要在1分鐘內自動通知以及給出使用者準確的鎖定來源提示,這個方案你會怎麼做?

商業和開源方案有一些但都不完整,需要管理者做自定義開發擴充套件.在試用了Kafka + Logstash + ElasticSearch + Kibana的方案一段時間之後,我們發現開源平臺數據丟失問題比較明顯.在使用者級別細顆粒度的資料分析中，準確率打到97%左右很難再提升. 為提升準確率到99%以上以確保可用性和使用者體驗,我們對於方案做了進一步的完善. WEC – Windows Eventlog Collector (Windows日誌收集)就是其中一部分,用來補全使用者認證/登入等特殊資訊的刪選和收集;今天主要介紹WEC和其配置,以饗讀者;

目標–收集所有域控的使用者驗證/登入日誌資訊,彙總到資料庫;用這些資訊作為校驗資訊來複核賬戶鎖定資訊.收集的手段即WEC.

原因–基於Windows Active Directory的使用者驗證/登入可以通過高階稽核策略留下詳細資訊<賬戶登入,登入/登出>.這些資訊可以幫助分析賬戶活動以及鎖定;

成果–通過WEC日誌校驗,成功將資訊準確率從97%提升至99%以上.

配置步驟–

注:我們略過配置域策略開啟高階稽核<賬戶登入,登入/登出>.配置完成後重新整理域控策略資訊gpresult.exe /H report.html檢視確認策略已經生效;

簡介:WEC或者WEF <Windows Eventlog Forwarding>是Windows 2012 R2及更高版本自帶的服務<再老的版本我們不做涉及>,允許event從多個Windows伺服器匯聚到收集伺服器<collector>.該服務包含兩個角色: Collector,用於收集日誌; Forwarder,用於轉發日誌;將兩者連起來的是日誌訂閱. Collector可通過訂閱來定義收集哪些伺服器上的哪些日誌.

配置步驟:

1.首先定位一臺伺服器為Collector角色,該伺服器用來接收所有其他伺服器的日誌資訊;在Collector上開啟WinRM以及Windows Event Collector服務:

Winrm qc

點選訂閱確認即可開啟Windows Event Collector服務,也可在Services.msc管理介面啟動Windows Event Collector服務

2.為Forwarders建立GPO,讓他們知道向誰轉發日誌資訊.假如我們只需要域控上的安全日誌資訊,我們可以為域控建立一個新的GPO,然後定義事件轉發配置:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\Configure target subscription manager

格式例如: Server=http://<FQDN of the collector>:5985/wsman/SubscriptionManager/WEC,Refresh=60

3.為Forwarder Network Service賦予安全日誌讀取許可權<預設只有Administrators有安全日誌許可權>:配置同一個GPO的以下兩個設定:

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Configure Log Access

Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Configure Log Access(legacy)

將其配置為 O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS)

((A;;0x1;;;NS)即意為允許Network Service Read Access,(A;;0x1;;;S-1-5-32-573)在這兒是Event Log Reader組Read Access)

編碼含義可參考:

O:BA Object owner is Built-in Admin (BA).

G:SY Primary group is System (SY).

D: This is a DACL, rather than an audit entry or SACL.

(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.

(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.

(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).

(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.

(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.

(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.

(A;;0x3;;;SU) Allow Service accounts READ and WRITE.

(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.

The specific event log access mask bits are:

0x0001 ELF_LOGFILE_READ Permission to read log files.

0x0002 ELF_LOGFILE_WRITE Permission to write log files.

4.在Collector上配置訂閱.當前理論上Forwarders已經知道向誰轉發,我們需要通過訂閱來定義哪些伺服器轉發哪些日誌:

建立訂閱:

訂閱名稱–用於區分不同訂閱

目標日誌–將轉發的日誌存到collector的哪個日誌裡

訂閱型別和源計算機–這裡我們選擇“源計算機已啟動” ,我們配置了Domain Controllers計算機組,來動態實現所有域控自動轉發;

要收集的事件–定義你所需要的事件,有細顆粒度的設定,比如事件日誌型別,日誌ID比如4625, 4740,事件關鍵字等;

高階設定–配置事件傳遞優化和協議埠,預設採用HTTP 5985;

5.確保Collector伺服器URLACL正確:如果WinRM服務沒有偵聽5985/5986,事件轉發將會失敗.典型的症狀是 日誌105會在Forwarder生成:

Event ID 105 with error2150859027 with full message "The forwarder is having a problem communicating with subscription manager at address http://COLLECTOR:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859027" Machine="FORWARDER"> The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol.

在Collector上執行以下命令:

netsh http show urlacl

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

6.複核日誌轉發正常發生

a.在Forwarders上面,檢視EventLog\應用程式和服務日誌\Microsoft\Windows\Eventlog-ForwardingPlugin,上面有100日誌表明與Collector連線同步成功;

b.在Collector上面,檢視目標日誌,確認日誌已經轉發過來;到此配置成功;

到這為止,你的Collector上面將會有所有需要的日誌,接下來你要做的就是如何消費這些日誌並在業務邏輯中去使用.比如4625 / 4771等事件用來校驗使用者登入驗證的資訊;

有用的連結:以下文章在我配置排查WEC/WEF的時候提供了很好的幫助,一併分享給大家:

Eventlog-ForwardingPlugin Event ID 102 Error 5004 - subscription can not be created

https://support.logbinder.com/SuperchargerKB/50225/EventlogForwardingPlugin-Event-ID-102-Error-5004-subscription-can-not-be-created

Events are not forwarded if the collector is running Windows Server

https://docs.microsoft.com/en-us/troubleshoot/windows-server/admin-development/events-not-forwarded-by-windows-server-collector

3. Troubleshooting a Problem Forwarder

https://support.logbinder.com/SuperchargerKB/50119/3-Troubleshooting-a-Problem-Forwarder

4. Granting Permissions for Security Log Forwarding

https://support.logbinder.com/SuperchargerKB/50120/4-Granting-Permissions-for-Security-Log-Forwarding

All subscriptions have 0 active forwarders; System Event IDs 10128, 10129

https://support.logbinder.com/SuperchargerKB/50145/All-subscriptions-have-0-active-forwarders-System-Event-IDs-10128-10129

WEC won't forward events to self if WinRM GPO doesn't include IPv6 filter

https://github.com/palantir/windows-event-forwarding/issues/37

有問題歡迎隨時交流