void Init() { redisConnectionString = Properties.Settings.Default["RedisServers"].ToString(); domain = Properties.Settings.Default["WindowsDomainRegex"].ToString(); usernameFilterRegex = Properties.Settings.Default["UsernameFilterRegex"].ToString(); parseKerberosEvents = Properties.Settings.Default["ParseKerberosEvents"].ToString().ToUpper() == "TRUE"; int.TryParse(Properties.Settings.Default["RedisTTL"].ToString(), out redisTTL); var os_version = Environment.OSVersion.Version; if (os_version.Major > 5) { if (parseKerberosEvents) { throw new Exception(@"Parsing kerberos events is not supported for this OS version yet"); } username_index = 5; remote_network_address_index = 18; } else { username_index = 0; remote_network_address_index = 13; remote_network_address_ticket_index = 6; remote_network_address_tgt_index = 9; logon_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_LOGON_NETWORK; krb_tgt_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_TGT_GRANTED; krb_service_ticket_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_SERVICE_TICKET_GRANTED; } //Account Logon Event Handler logonEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain); //FILTERS IEventFilter logon_event_codes_filter = new EventCodeFilter(new long[] { logon_ev_code }); IEventFilter usernameFilter = new NOT_EventFilter(new ReplacementStringFilter(new Dictionary <int, string>() { { username_index, @"^.*\$" } })); // Exclude machine accounts logonEventsHandler.RegisterFilter(usernameFilter); //LOGGERS logonEventsHandler.RegisterLogger( new RedisReplacementStringLogger( redisConnectionString, remote_network_address_index, username_index, 0, true, redisTTL ) ); logonEventsHandler.RegisterLogger( new RedisTimeStampLogger( redisConnectionString, new int[] { username_index, remote_network_address_index }, 0, true, redisTTL ) ); logonEventsHandler.SetExceptionLogger(logger); //Kerberos Ticket Request Event Handler kerberosEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain, ip2userLib.NetworkLogonEventSources.KERBEROS); //FILTERS IEventFilter krb_event_codes_filter = new EventCodeFilter(new long[] { krb_service_ticket_granted_ev_code, krb_tgt_granted_ev_code }); kerberosEventsHandler.RegisterFilter(krb_event_codes_filter); kerberosEventsHandler.RegisterFilter(usernameFilter); //LOGGERS kerberosEventsHandler.RegisterLogger( new RedisReplacementStringLogger( redisConnectionString, remote_network_address_ticket_index, username_index, krb_service_ticket_granted_ev_code, true, redisTTL ) ); kerberosEventsHandler.RegisterLogger( new RedisReplacementStringLogger( redisConnectionString, remote_network_address_tgt_index, username_index, krb_tgt_granted_ev_code, true, redisTTL ) ); kerberosEventsHandler.SetExceptionLogger(logger); }
public static EventLogHandler Build(int os_version, string domain_name = @".*", NetworkLogonEventSources source = NetworkLogonEventSources.LOGON) { long[] valid_logon_events; int domain_index; EventLogHandler handler = new EventLogHandler(); IEventFilter idFilter, domainFilter; switch (source) { case NetworkLogonEventSources.LOGON: if (os_version > 5) { valid_logon_events = new long[1] { 4624 }; domain_index = 6; } else { valid_logon_events = new long[1] { 540 }; domain_index = 1; } break; case NetworkLogonEventSources.KERBEROS: if (os_version > 5) { throw new System.Exception(@"Unsupported OS version for Kerberos source"); } else { valid_logon_events = new long[2] { 672, 673 }; domain_index = 1; } break; default: throw new System.Exception(@"Unknown source provided"); } idFilter = new EventCodeFilter(valid_logon_events); domainFilter = new ReplacementStringFilter(new Dictionary <int, string>() { { domain_index, domain_name } }); handler.RegisterFilter(idFilter); handler.RegisterFilter(domainFilter); handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>() { { 6, @"-" } }, 672)); handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>() { { 7, @"-" } }, 673)); handler.SetFilterStrategy(new AllMustMatch()); return(handler); }