为什么 Windows 安全日志在看似相同的机器上使用不同的格式?

tag-icon tag-icon windows windows-event-log
为什么 Windows 安全日志在看似相同的机器上使用不同的格式?

我有一组类似的计算机(Win 7),我正在为其创建一些事件监控规则,但我注意到收到的内容有些奇怪。

该组中的一台机器返回非常详细的日志消息:

<13>Mar 24 13:42:21 MACHINE123 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.1.4.698761    Source=Microsoft-Windows-Security-Auditing    Computer=MACHINE123.SOMECORP.Local    User=    Domain=    EventID=4648    EventIDCode=4648    EventType=8    EventCategory=12544    RecordNumber=487779    TimeGenerated=1427218938    TimeWritten=1427218938    Level=0    Keywords=0    Task=0    Opcode=0    Message=A logon was attempted using explicit credentials.  Subject:  Security ID:  SOMECORP\UserA  Account Name:  usera  Account Domain:  SOMECORP  Logon ID:  0x1234567  Logon GUID:  {AAAAAAAA-FFFF-E6AB-3B67-FE7473A02CE9}  Account Whose Credentials Were Used:  Account Name:  [email protected]  Account Domain:  SOMECORP  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Target Server:  Target Server Name: EXCHANGE.SOMECORP.Local  Additional Information: EXCHANGE.SOMECORP.Local  Process Information:  Process ID:  0xa04  Process Name:  C:\Program Files\Microsoft Office 15\root\office15\outlook.exe  Network Information:  Network Address: -  Port:   -  This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

然而,其他人发送的是同一事件的缩短版本:

<13>Mar 24 14:33:32 MACHINE456 AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=7.1.4.698761    Source=Microsoft-Windows-Security-Auditing    Computer=MACHINE456.SOMECORP.Local    User=    Domain=    EventID=4648    EventIDCode=4648    EventType=8    EventCategory=12544    RecordNumber=505638    TimeGenerated=1427222009    TimeWritten=1427222009    Level=0    Keywords=0    Task=0    Opcode=0    Message=SOMECORP\UserB USERB SOMECORP 0x7654321 {BBBBBBBB-EEEE-3CB9-D00A-A56E3F838596} [email protected] SOMECORP {00000000-0000-0000-0000-000000000000} EXCHANGE.SOMECORP.Local EXCHANGE.SOMECORP.Local 0x1230 C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE - -

我遇到的问题是,我的事件处理器无法解析后一条消息,因为其中没有字段描述符。我不想花大量时间设置一个可以立即使用的解析器的自定义实现。

为什么同一事件会在不同的计算机上生成两条截然不同的日志消息?我是否应该查看一些配置或策略选项,以了解如何将它们设置为相同的格式?

相关内容