我们有一个 SCOM 2012 服务器。
我们有 SNARE 代理来确保 PCI 合规性,但现在我们想通过使用其原生功能收集所有 Windows 服务器的所有事件来节省资金。
我们还有一个运行 SYSLOG 的集中式 Linux 服务器,它将日志聚合到我们的日志保留设备(这都是为了 PCI 目的)
因此,我的问题是:
Windows 服务器 (SCOM 2012) 可以将事件日志转发到 Linux 系统日志服务器吗?我认为这将通过遵循标准平面文件格式或类似格式来实现。
谢谢
答案1
您需要使用 Syslog 代理,因为 Windows 没有提供该代理。
...Windows 操作系统不包含能够将系统日志数据发送到系统日志服务器的系统日志代理。如果没有系统日志代理,Windows 操作系统不仅无法将系统日志消息发送到系统日志服务器,也无法从 Windows 操作系统中运行的任何应用程序(如 Web 服务器或数据库)发送系统日志消息。
源页面和谷歌搜索“Windows Syslog Agent”提供许多您可以尝试的不同的 Syslog 代理。
答案2
您可以在 Linux 服务器上尝试使用 NXLog 接收来自 Windows 的本机 WEF 事件并将其转发到 syslog 服务器,因为 NXLog 有一个社区版。我目前没有资源来尝试这个。如果 NXLog 足够智能,可以在转发到 syslog 之前将 WEF 转换为文本,那么它可能会起作用,否则它可能会将二进制噪音喷射到 syslog 中。如果它有效,请报告:
1.配置WEF
https://adamtheautomator.com/windows-event-collector/ :
- 通过组策略管理控制台创建 GPO。在 GPO 内部,导航至计算机配置 → 策略 → 管理模板 → Windows 组件 → 事件转发 → 配置目标订阅管理器。
- 将目标订阅管理器的值设置为收集器上的 WinRM 端点。您将服务器设置为以下格式:
- 服务器 = http://主机名:5985/wsman/SubscriptionManager/WEC,Refresh=60
2.配置NXLog:
(发送给 NXLog 的 WEF 配置是从这里,但请参阅此 SE 答案底部的配置以进行实际转发)
创建并映射 Active Directory 域用户
为了使 Linux 计算机上的 WEC 服务器能够使用 Kerberos 身份验证,需要在 Active Directory 中创建相应的用户并将其映射到 Kerberos 主体名称。
On the domain controller, create a new user with its logon name matching the hostname of the WEC server.
Go to Administrative Tools > Active Directory Users and Computers > example.com > Users.
Right click and choose New > User.
First name: linux-wec
Full name: linux-wec
User logon name: linux-wec
Set a password for the user.
Uncheck User must change password at next logon.
Check Password never expires.
Right click on the new user, click Properties, and open the Account tab.
Check This account supports Kerberos AES 128 bit encryption.
Check This account supports Kerberos AES 256 bit encryption.
On the DNS server, create an A record for linux-wec.example.com.
Go to Administrative Tools > DNS > Forward Lookup Zones > example.com.
Right click and choose New Host (A or AAAA)….
Add a record with name linux-wec and IP address 192.168.0.3.
Check the Create associated pointer (PTR) record option.
Back on the domain controller, open a command prompt and execute these commands. Use the same <password> that was specified when the above user was created. These commands map the domain account to the Kerberos principal names and generate two keytab files containing the shared secret.
> ktpass /princ hosts/[email protected] /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out hosts-nxlog.keytab /crypto AES256-SHA1
> ktpass /princ http/[email protected] /pass <password> /mapuser EXAMPLE\linux-wec -pType KRB5_NT_PRINCIPAL /out http-nxlog.keytab /crypto AES256-SHA1
Copy the resulting hosts-nxlog.keytab and http-nxlog.keytab files to the WEC server.
在 WEC 服务器上配置 Kerberos
现在已经创建了 Active Directory 用户并将其映射到主体名称,可以配置 WEC 服务器以进行 Kerberos 身份验证。
Confirm that the Kerberos krb5 client and utility software are installed on the WEC server. The required package can be installed with yum install krb5-workstation or apt install krb5-user.
Edit the default Kerberos configuration file, usually located at /etc/krb5.conf.
In section [domain_realm] add:
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
In section [realms] add:
EXAMPLE.COM = {
kdc = example.com
admin_server = example.com
}
Use ktutil to merge the two keytab files generated above.
# ktutil
ktutil: rkt /root/hosts-nxlog.keytab
ktutil: rkt /root/http-nxlog.keytab
ktutil: wkt /root/nxlog-result.keytab
ktutil: q
Validate the merged keytab.
# klist -e -k -t /root/nxlog-result.keytab
Keytab name: FILE:/root/nxlog-result.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
5 17.01.2021 04:20:08 hosts/[email protected] (aes256-cts-hmac-sha1-96)
4 17.01.2021 04:20:08 http/[email protected] (aes256-cts-hmac-sha1-96)
Either copy the keytab into place, or merge it if there are already keys in /etc/krb5.keytab.
To copy the keytab:
# cp /root/nxlog-result.keytab /etc/krb5.keytab
To merge the keytab and validate the result:
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: rkt /root/nxlog-result.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: q
# klist -e -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
<other entries>
5 17.01.2021 04:20:08 hosts/[email protected] (aes256-cts-hmac-sha1-96)
4 17.01.2021 04:20:08 http/[email protected] (aes256-cts-hmac-sha1-96)
Verify that the user account used by the NXLog service has sufficient privileges to open and read the /etc/krb5.keytab file. If not, Kerberos authentication will fail.
Test that the authentication with Active Directory is working successfully when using the keytab. Run the following command on the Linux WEC server. If the configuration is correct a ticket-granting ticket (TGT) will be created and cached. This command should be invoked with the same user that the NXLog service runs as. By default, it uses the nxlog user account.
# kinit -kt /etc/krb5.keytab http/[email protected]
Verify the ticket was obtained by running klist as the same user from the previous step:
# klist
Ticket cache: KCM:0
Default principal: http/[email protected]
Valid starting Expires Service principal
28/01/21 11:41:44 28/01/21 21:41:44 krbtgt/[email protected]
renew until 04/02/21 11:41:44
#3 使用此 NXLog 配置将 Windows 代理到 Syslog:
# Recieve from native WEF:
<Input windows_events>
Module im_wseventing
Address https://linux-wec.example.com:5985/wsman
ListenAddr 0.0.0.0
Port 5985
HTTPSCertFile /path/to/server-cert.pem
HTTPSCertKeyFile /path/to/server-key.pem
HTTPSCAFile /path/to/ca-cert.pem
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="System">*</Select>
</Query>
</QueryList>
</QueryXML>
# Log connections for testing and troubleshooting
LogConnections TRUE
</Input>
# Send it to a syslog server:
<Output udp>
Module om_udp
Host 192.168.1.1:514
</Output>
# (or using the syntax prior to NXLog EE 5,
# where the port is defined in a separate directive.)
#<Output udp>
# Module om_udp
# Host 192.168.1.1
# Port 514
#</Output>
# Route WEF to UDP
<Route uds_to_udp>
Path im_wseventing => udp
</Route>