void Init()
{
redisConnectionString = Properties.Settings.Default["RedisServers"].ToString();
domain = Properties.Settings.Default["WindowsDomainRegex"].ToString();
usernameFilterRegex = Properties.Settings.Default["UsernameFilterRegex"].ToString();
parseKerberosEvents = Properties.Settings.Default["ParseKerberosEvents"].ToString().ToUpper() == "TRUE";
int.TryParse(Properties.Settings.Default["RedisTTL"].ToString(), out redisTTL);
var os_version = Environment.OSVersion.Version;
if (os_version.Major > 5)
{
if (parseKerberosEvents)
{
throw new Exception(@"Parsing kerberos events is not supported for this OS version yet");
}
username_index = 5;
remote_network_address_index = 18;
}
else
{
username_index = 0;
remote_network_address_index = 13;
remote_network_address_ticket_index = 6;
remote_network_address_tgt_index = 9;
logon_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_LOGON_NETWORK;
krb_tgt_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_TGT_GRANTED;
krb_service_ticket_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_SERVICE_TICKET_GRANTED;
}
//Account Logon Event Handler
logonEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain);
//FILTERS
IEventFilter logon_event_codes_filter = new EventCodeFilter(new long[] { logon_ev_code });
IEventFilter usernameFilter = new NOT_EventFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ username_index, @"^.*\$" }
})); // Exclude machine accounts
logonEventsHandler.RegisterFilter(usernameFilter);
//LOGGERS
logonEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_index,
username_index,
0,
true,
redisTTL
)
);
logonEventsHandler.RegisterLogger(
new RedisTimeStampLogger(
redisConnectionString,
new int[] { username_index, remote_network_address_index },
0,
true,
redisTTL
)
);
logonEventsHandler.SetExceptionLogger(logger);
//Kerberos Ticket Request Event Handler
kerberosEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain, ip2userLib.NetworkLogonEventSources.KERBEROS);
//FILTERS
IEventFilter krb_event_codes_filter = new EventCodeFilter(new long[] { krb_service_ticket_granted_ev_code, krb_tgt_granted_ev_code });
kerberosEventsHandler.RegisterFilter(krb_event_codes_filter);
kerberosEventsHandler.RegisterFilter(usernameFilter);
//LOGGERS
kerberosEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_ticket_index,
username_index,
krb_service_ticket_granted_ev_code,
true,
redisTTL
)
);
kerberosEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_tgt_index,
username_index,
krb_tgt_granted_ev_code,
true,
redisTTL
)
);
kerberosEventsHandler.SetExceptionLogger(logger);
}
public static EventLogHandler Build(int os_version, string domain_name = @".*", NetworkLogonEventSources source = NetworkLogonEventSources.LOGON)
{
long[] valid_logon_events;
int domain_index;
EventLogHandler handler = new EventLogHandler();
IEventFilter idFilter, domainFilter;
switch (source)
{
case NetworkLogonEventSources.LOGON:
if (os_version > 5)
{
valid_logon_events = new long[1] {
4624
};
domain_index = 6;
}
else
{
valid_logon_events = new long[1] {
540
};
domain_index = 1;
}
break;
case NetworkLogonEventSources.KERBEROS:
if (os_version > 5)
{
throw new System.Exception(@"Unsupported OS version for Kerberos source");
}
else
{
valid_logon_events = new long[2] {
672, 673
};
domain_index = 1;
}
break;
default:
throw new System.Exception(@"Unknown source provided");
}
idFilter = new EventCodeFilter(valid_logon_events);
domainFilter = new ReplacementStringFilter(new Dictionary <int, string>()
{
{ domain_index, domain_name }
});
handler.RegisterFilter(idFilter);
handler.RegisterFilter(domainFilter);
handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ 6, @"-" }
}, 672));
handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ 7, @"-" }
}, 673));
handler.SetFilterStrategy(new AllMustMatch());
return(handler);
}
