收集 Microsoft Windows AD 数据
此文档包含以下信息:
- 部署架构和安装步骤,以及生成 Microsoft Windows Active Directory 事件的 Chronicle 解析器支持的日志所需的任何配置。如需简要了解 Chronicle 数据注入,请参阅将数据注入到 Chronicle。
- 有关解析器如何将原始日志中的字段映射到 Chronicle Unified Data Model 字段的信息。
本文档中的信息适用于具有 WINDOWS_AD 注入标签的解析器。注入标签标识哪个解析器将原始日志数据标准化为结构化 UDM 格式。
准备工作
查看推荐的部署架构
下图演示了部署架构中用于收集 Microsoft Windows 事件并将其发送到 Chronicle 的推荐基础组件。将此信息与您的环境进行比较,以确保已安装这些组件。每个客户部署都与此表示法不同,并且可能更复杂。以下是必须满足的条件:
- 部署架构中的所有系统都使用世界协调时间 (UTC) 时区进行配置。
- 在每个 Microsoft Windows AD 服务器上创建并配置 Powershell 脚本以收集 USER_CONTEXT 和 ASSET_CONTEXT 数据。
- 每个 Microsoft Windows AD 服务器上安装了 NXLog,用于将数据发送到中央 Microsoft Windows 或 Linux 服务器。
Chronicle 转发器安装在中央 Microsoft Windows 或 Linux 服务器上,用于将日志数据转发到 Chronicle。
查看支持的设备和版本
Chronicle 解析器支持来自以下 Microsoft Windows 服务器版本的日志。Microsoft Windows Server 按以下版本发布:Foundation、Essentials、Standard 和 Datacenter。每个版本生成的日志事件架构没有区别。
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012
Chronicle 解析器支持 NXLog Community 或 Enterprise Edition 收集的日志。
查看支持的日志类型
Chronicle 解析器将解析从用户上下文和资源上下文中检索的数据并对其进行标准化。它支持使用英语文本生成的日志,不支持使用非英语生成的日志。
配置 Microsoft Windows AD 服务器
在部署架构中配置 Microsoft Windows AD 服务器的步骤:
- 使用世界协调时间 (UTC) 时区配置所有系统。
- 在每个 Microsoft Windows Active Directory 服务器上,创建并配置 PowerShell 脚本以将日志数据收集到输出文件。NXLog 会读取输出文件并将数据发送到中央 Microsoft Windows 或 Linux 服务器。
创建 Powershell 脚本。请参阅以下示例。将
$OUTPUT_FILENAME
的值更改为应写入输出文件的位置。NXLog 将读取此文件。数据必须以 JSON 格式存储。将编码设置为 utf8。调用Get-ADUser
和Get-ADComputer
cmdlet 时,请使用-Filter
参数,而不是-LDAPFilter
参数。# Set the location where the log file will be written $OUTPUT_FILENAME="<Path_of_the_output_file>" If (Test-Path -Path $OUTPUT_FILENAME) { Remove-Item -path $OUTPUT_FILENAME -ErrorAction SilentlyContinue} # USER_CONTEXT: Gets all Active Directory users and their properties. Get-ADUser -Filter * -properties samAccountName | % { Get-ADUser $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append } # ASSET_CONTEXT: Gets all Active Directory assets and their properties. Get-ADComputer -Filter * -properties samAccountName | % { Get-ADComputer $_.SamAccountName -properties * | ConvertTo-JSON -compress | Out-File -encoding utf8 $OUTPUT_FILENAME -Append }
创建运行脚本的周期性任务,以将数据提取并写入到输出文件。
- 打开“任务计划程序”应用。
- 点击右侧面板上的“创建任务”。
- 输入任务的名称和说明。
选中“以最高权限运行”复选框,以确保检索所有数据。
在“触发器”标签页中,定义何时希望重复执行该任务。
在“Action”标签页中,添加新操作并提供存储脚本的文件的路径。
在每个 Microsoft Windows Active Directory 服务器上安装 NXLog 代理。该应用会将日志转发到中央 Microsoft Windows 或 Linux 服务器。按照 NXLog 文档进行操作。
为每个 NXLog 实例创建一个配置文件。使用 NXLog im_file 模块从文件中读取内容并将行解析为字段。使用 om_tcp 模块将数据转发到中央 Microsoft Windows 或 Linux 服务器。
以下是 NXLog 配置示例。将
<hostname>
和<port>
值替换为目标中央 Microsoft Windows 或 Linux 服务器的信息。在<Input in_adcontext>
部分和File
属性中,添加由 Powershell 脚本写入的输出日志文件的路径。始终设置DirCheckInterval
和PollInterval
。如果未定义,则 NXLog 每 1 秒轮询一次文件。define ROOT C:\Program Files\nxlog define ADCONTEXT_OUTPUT_DESTINATION_ADDRESS <hostname> define ADCONTEXT_OUTPUT_DESTINATION_PORT <port> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Input in_adcontext> Module im_file File "<Path_of_the_output_file>" DirCheckInterval 3600 PollInterval 3600 </Input> <Output out_chronicle_adcontext> Module om_tcp Host %ADCONTEXT_OUTPUT_DESTINATION_ADDRESS% Port %ADCONTEXT_OUTPUT_DESTINATION_PORT% </Output> <Route ad_context_to_chronicle> Path in_adcontext => out_chronicle_adcontext </Route>
在每个系统中启动 NXLog 服务。
配置中央 Microsoft Windows 或 Linux 服务器
如需了解如何安装和配置转发器,请参阅在 Linux 上安装和配置转发器或在 Microsoft Windows 上安装和配置转发器。
- 使用世界协调时间 (UTC) 时区配置系统。
- 在中央 Microsoft Windows 或 Linux 服务器上安装 Chronicle 转发器。
配置 Chronicle 转发器,以将日志发送到 Chronicle。以下是转发器配置示例。
- syslog: common: enabled: true data_type: WINDOWS_AD batch_n_seconds: 10 batch_n_bytes: 1048576 tcp_address: 0.0.0.0:10518 connection_timeout_sec: 60
字段映射参考信息:设备日志字段到 UDM 字段
本部分介绍解析器如何将原始日志字段映射到 Unified Data Model 字段。
用户上下文日志
NXLog 字段 | UDM 字段 |
---|---|
GivenName |
entity.entity.user.first_name |
Surname |
entity.entity.user.last_name |
SamAccountName |
entity.entity.user.userid |
SID.Value |
entity.entity.user.windows_sid |
ObjectClass |
If the value is user ,entity.metadata.entity_type is set to USER |
ObjectGuid |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the
entity.entity.user.product_object_id UDM field.
|
objectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
|
ObjectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the objectGUID log field value is not empty, then the objectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.user.product_object_id UDM field.
|
AccountExpirationDate |
entity.entity.user.account_expiration_time |
badPwdCount |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
CanonicalName |
entity.entity.administrative_domain |
City |
entity.entity.user.personal_address.city |
Company |
entity.entity.user.company_name |
Country |
entity.entity.user.personal_address.country_or_region |
Department |
entity.entity.user.department |
Description |
entity.metadata.description |
DisplayName |
entity.entity.user.user_display_name |
EmailAddress |
entity.entity.user.email_addresses |
EmployeeID |
entity.entity.user.employee_id |
HomeDirectory |
entity.entity.file.full_path |
HomePage |
entity.entity.url |
HomePhone |
entity.entity.user.phone_numbers |
LastBadPasswordAttempt |
entity.entity.user.last_bad_password_attempt_time |
lastLogoff |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
lastLogon |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
LastLogonDate |
entity.entity.user.last_login_time |
Manager |
Values for GUID , SAMAccountname , SID all mapped to different UDM fields:- SID is stored in manager.windows_sid- Distinguished name (i.e. value in first CN) is stored in
manager.user_display_name - GUID ,SamAccountName is stored in manager.userid |
MemberOf |
The following fields in the first occurrence of CN are set:entity.relations.entity.group.group_display_name entity.relations.entity_type set to GROUP entity.relations.relationship set t0 MEMBER entity.relations.direction set to UNIDIRECTIONAL |
MobilePhone |
entity.entity.user.phone_numbers |
Office |
entity.entity.user.office_address.name |
PasswordExpired |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PasswordLastSet |
entity.entity.user.last_password_change_time |
PasswordNeverExpires |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PasswordNotRequired |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
PrimaryGroup |
Following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
ServicePrincipalNames |
entity.entity.user.attribute.label.key and entity.entity.user.attribute.label.value |
State |
entity.entity.user.personal_address.state |
StreetAddress |
entity.entity.user.personal_address.name |
Title |
entity.entity.user.title |
whenCreated |
entity.user.attribute.creation_time |
AccountLockoutTime |
entity.entity.user.account_lockout_time |
资源上下文日志
NXLog 字段 | UDM 字段 |
---|---|
DNSHostName |
entity.entity.asset.hostname |
SamAccountName |
entity.entity.asset.asset_id |
SID.Value |
entity.entity.user.windows_sid |
ObjectClass |
If the value is computer , entity.metadata.entity_type set to ASSET |
ObjectGuid |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field. |
ObjectGUID |
If the ObjectGuid log field value is not empty, then the ObjectGuid log field is mapped to the entity.entity.asset.product_object_id UDM field.
Else, If the ObjectGUID log field value is not empty, then the ObjectGUID log field is mapped to the entity.entity.asset.product_object_id UDM field. |
AccountExpirationDate |
entity.entity.user.account_expiration_time |
badPwdCount |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
CanonicalName |
entity.entity.administrative_domain |
countryCode |
entity.entity.asset.location.country_or_region |
Description |
entity.entity.metadata.description |
HomePage |
entity.entity.url |
IPv4Address |
entity.entity.asset.ip |
IPv6Address |
entity.entity.asset.ip |
LastBadPasswordAttempt |
entity.entity.user.last_bad_password_attempt_time |
lastLogoff |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
lastLogon |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
LastLogonDate |
entity.entity.user.last_login_time |
Location |
entity.entity.asset.location.name |
ManagedBy |
The following fields are set:entity.entity.user.user_display_name entity.relations.entity_type set to USER entity.relations.relationship set to ADMINISTERS entity.relations.direction set to UNIDIRECTIONAL |
ObjectCategory |
entity.entity.asset.category |
OperatingSystem |
If the name contains Windows ,
entity.entity.asset.platform_software.platform field is set to
WINDOWS . |
OperatingSystemServicePack |
entity.entity.asset.platform_software.platform_patch_level |
OperatingSystemVersion |
The field entity.entity.asset.platform_software.platform_version is set to
%{OperatingSystem} - %{OperatingSystemVersion} |
PasswordExpired |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PasswordLastSet |
entity.entity.user.last_password_change_time |
PasswordNeverExpires |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PasswordNotRequired |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
PrimaryGroup |
The following fields are set: - entity.relations.entity.group.group_display_name - entity.relations.entity_type set to GROUP - entity.relations.relationship set to MEMBER - entity.relations.direction set to UNIDIRECTIONAL |
ServicePrincipalNames |
entity.entity.asset.attribute.label.key and entity.entity.asset.attribute.label.value |
whenChanged |
entity.entity.asset.attribute.last_update_time |
whenCreated |
entity.entity.asset.attribute.creation_time |
AccountLockoutTime |
entity.entity.user.account_lockout_time |