static void Init()
{
logName = "Security";
redisConnectionString = Properties.Settings.Default["RedisServers"].ToString();
domain = Properties.Settings.Default["WindowsDomainRegex"].ToString();
int.TryParse(Properties.Settings.Default["RedisTTL"].ToString(), out redisTTL);
var os_version = Environment.OSVersion.Version;
IEventLogger consoleLogger = new ConsoleReplacementStringsLogger();
if (os_version.Major > 5)
{
remote_network_address_index = 18;
username_index = 5;
}
else
{
remote_network_address_index = 13;
krb_client_addr_index = 6;
username_index = 0;
}
//IEventLogger redisLogger = new RedisEventLogger(redisConnectionString, remote_network_address_index, username_index, false, redisTTL);
IEventFilter usernameFilter = new NOT_EventFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ username_index, @"^.*\$.*$" }
}));
/*handler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain);
* handler.RegisterFilter(usernameFilter);
* handler.RegisterLogger(consoleLogger);
* handler.RegisterLogger(redisLogger);
* handler.SetExceptionLogger(logger);*/
//Kerberos Ticket Request Event Handler
kerberosEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain, NetworkLogonEventSources.KERBEROS);
kerberosEventsHandler.RegisterFilter(usernameFilter);
kerberosEventsHandler.RegisterLogger(consoleLogger);
}
public static EventLogHandler Build(int os_version, string domain_name = @".*", NetworkLogonEventSources source = NetworkLogonEventSources.LOGON)
{
long[] valid_logon_events;
int domain_index;
EventLogHandler handler = new EventLogHandler();
IEventFilter idFilter, domainFilter;
switch (source)
{
case NetworkLogonEventSources.LOGON:
if (os_version > 5)
{
valid_logon_events = new long[1] {
4624
};
domain_index = 6;
}
else
{
valid_logon_events = new long[1] {
540
};
domain_index = 1;
}
break;
case NetworkLogonEventSources.KERBEROS:
if (os_version > 5)
{
throw new System.Exception(@"Unsupported OS version for Kerberos source");
}
else
{
valid_logon_events = new long[2] {
672, 673
};
domain_index = 1;
}
break;
default:
throw new System.Exception(@"Unknown source provided");
}
idFilter = new EventCodeFilter(valid_logon_events);
domainFilter = new ReplacementStringFilter(new Dictionary <int, string>()
{
{ domain_index, domain_name }
});
handler.RegisterFilter(idFilter);
handler.RegisterFilter(domainFilter);
handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ 6, @"-" }
}, 672));
handler.RegisterFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ 7, @"-" }
}, 673));
handler.SetFilterStrategy(new AllMustMatch());
return(handler);
}
