事件日志ip地址并不总是解析 [英] Event Logging IPAddress does not always resolve
问题描述
我挂钩安全事件日志与System.Diagnostics.Eventing.Reader.EventLogWatcher类,我在2008年的服务器框看事件ID 4625,传入失败的登录(RDP,特别是)。
I am hooking the Security event log with System.Diagnostics.Eventing.Reader.EventLogWatcher class, and I am watching Event ID 4625 on a 2008 server box, for incoming failed logins (RDP, specifically).
日志采集工作正常,而我倾倒的结果放入一个队列相关,后续处理。但是,有时捕获的日志的填写(解决)的ip地址数据字段,有时他们没有。
The log capturing is working fine, and I am dumping the results into a queue for related, later processing. However, sometimes the logs captured have the IPAddress data field filled (resolved), and sometimes they do not.
我已经运行WinDump的边看服务器,想我平时RDP从不同的服务器和操作系统的味道,唯一的结论,我可以来了解这是一个版本的差异问题,而不是坏的编码登录。虽然我可能是错的,LOL。
I have run windump while watching the server, trying my usual RDP logins from different servers and OS flavors, and the only conclusion I can come to about this is a version difference issue, and not bad coding. Although I could be wrong, LOL.
问题是在事件对于这些连接日志本身。所有失败RDP登录记录,并正确处理,但一些日志根本不记录失败的连接的源IP地址。
The problem is in the event logs themselves with regard to these connections. All the failed RDP logins are logged, and are processed correctly, but some of the logs simply do not record the source IP address of the failed connection.
做了一些新的气息MSTSC不知何故导致远程事件记录到无法登录的源IP地址?这似乎任何其他2008服务器运行我对这种上瘾的服务器是真实的。我到目前为止已经试过所有2003或XP的计算机被正确地记录下来。
Does some newer flavor of mstsc somehow cause a remote event log to NOT log the source IP address? This seems to be true for any other 2008 server I run against this hooked server. Any 2003 or XP machine that I've tried so far is logged correctly.
如果您需要更多的信息,让我知道。 !感谢这么
If you need more information, let me know. Thanks SO!
修改
我需要做一些疯狂 - 像实施sharpPcap和关联的IPS eventlogs呀? = /。可以LSASS进行查询可能(是不是通常写入安全日志的唯一的事)?
Do I need to do something crazy -- like implement sharpPcap and correlate IPs to eventlogs that way? =/. Can lsass be queried maybe (isn't it the only thing that typically writes to the Security log)?
推荐答案
我终于得到了这方面的工作。这是怎么回事,因为有被用于RDP连接两种身份验证方法:NTLM和USER32。我改变GPO设置杀外国NTLM连接。
I finally got this working. This was happening because there were two authentication methods being used for RDP connections: NTLM and User32. I changed GPO settings to kill the foreign NTLM connections.
以上是GPO设置我设置做了魔力。请注意,这是一个Server 2008 R2的对话框。
These are the GPO settings I set that did the magic. Please note that this is a Server 2008 R2 box.
的必需的结果
电脑Configuration\Windows Settings\Security Settings\Security选项
Required
Computer Configuration\Windows Settings\Security Settings\Security Options
网络安全:LAN Manager身份验证级别 - 仅发送NTLMv2响应。拒绝LM和放大器; NTLM结果
网络安全:限制NTLM: - :限制NTLM:审核传入NTLM通信的所有账户结果
网络安全启用审核传入NTLM通信 - 拒绝所有帐户
Network security: LAN Manager authentication level -- Send NTLMv2 response only. Refuse LM & NTLM
Network security: Restrict NTLM: Audit Incoming NTLM Traffic -- Enable auditing for all accounts
Network security: Restrict NTLM: Incoming NTLM traffic -- Deny all accounts
的推荐的结果
不允许保存密码 - 启用结果
提示客户端上的凭据计算机 - 启用
Recommended
Do not allow for passwords to be saved -- Enabled
Prompt for credentials on the client computer -- Enabled
我改变了其他一些与安全相关的按键,太多,但这些都应该是核心的。强制传入的网络流量远离使用NTLM让每一个4625事件包含故障计算机的IP地址,因为他们的力量使用USER32登录。
I changed some other security-related keys, too, but these should be the core ones. Forcing incoming network traffic away from using NTLM allows every single 4625 event to contain the IP Address of the failed computer, as they are force to use User32 logon.
让我知道,如果这似乎完全不安全,或有可能是一个更好的办法做到这一点,但是这个允许适当的计算和记录失败的尝试,同时保留为连接加密级别。
Let me know if this seems totally insecure or there might be a better way to do this, but this allows proper counting and logged of failed attempts while retaining a level of encryption for the connection.
这篇关于事件日志ip地址并不总是解析的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
