Seci-log 1.04 Log analysis adds Windows log Analytics

This upgrade does not add new alarms, but increases the window log analysis, the main analysis of Windows log log and operation log, these two more important log types, other log types can be used as a common log collection function to store queries.

windows system does not have its own features to support syslog sending system logs, so need to rely on third-party tools, here we recommend a very useful lightweight log capture module: nxlog It's easy to deploy and configure under Windows.

Note: I tested, 2003 server, theoretically 2012 is also possible, the other environment is not tested, if there is a problem welcome to the group Consulting.

1, installation Nxlog

Download the latest nxlog from SourceForge and install it.

2. Setting up the configuration file

To modify the configuration file, the default profile location:

C:\Program Files\nxlog\conf\nxlog modified to the following, note to modify the actual path and the address of the destination to be sent.

If you want to collect all the logs, remove the query line.

im_msvistalog im_mseventlog for Windows 2003 series. Attention is consistent with the actual environment.

define root c:\program files\nxlog moduledir %root%\modulescachedir %root%\ datapidfile %root%\data\nxlog.pidspooldir %root%\datalogfile %root%\data\nxlog.log < extension syslog>module xm_syslog</extension> <input in>     Module      im_msvistalogReadFromLast TRUE Query < Querylist><query id= "1" ><select path= "Security" >*[system[(eventid=4688 or  eventid=4624 or eventid=4625)  ]]</Select></Query></QueryList>Exec   $Message  =  ""; &NBSP;EXEC&NBSP;TO_SYSLOG_IETF ();  $raw _event = replace ($raw _event,   ' [email protected] ',  ' secisland windows eventlog  ',  1);</Input>  <Output out>    Module      om_udp     host        192.168.21.1    port         514 </Output> <Route 1>    Path         in => out</route>3, restart Nxlog service

650) this.width=650; "src=" Http://static.oschina.net/uploads/space/2015/0531/092745_EZvF_247205.png "style=" margin:0px;padding:0px;border:1px solid RGB (221,221,221); "alt=" 092745_ezvf_247205.png "/>

4. View Logs

If configured correctly, you can see the following log in the security events in the background security event:

2015-05-30t23:01:39.971740+08:00 win-ti494oc1rzo.secisland.com microsoft-windows-security-auditing 600-[ Secisland Windows eventlog keywords= " -9214364837600034816" eventtype= "audit_success" eventid= "4624" providerguid= "{ 54849625-5478-4994-a5ba-3e3b0328c30d} "version=" 0 "task=" 12544 "opcodevalue=" 0 "recordnumber=" 71402 "ThreadID=" 2092 "Channel=" Security "category=" Login "opcode=" message "subjectusersid=" s-1-0-0 "subjectusername="-"subjectdomainname="-" Subjectlogonid= "0x0" targetusersid= "s-1-5-18" Ta

5. Related Alarms

Password guessing, non-work time login, non-work location login, password guessing success, account guessing alarm and related to these content.

This article is from the "Zhulinu blog" blog, make sure to keep this source http://zhulinu.blog.51cto.com/539189/1685067

Seci-log 1.04 Log analysis adds Windows log Analytics