static void Init()
{
logName = "Security";
redisConnectionString = Properties.Settings.Default["RedisServers"].ToString();
domain = Properties.Settings.Default["WindowsDomainRegex"].ToString();
int.TryParse(Properties.Settings.Default["RedisTTL"].ToString(), out redisTTL);
var os_version = Environment.OSVersion.Version;
IEventLogger consoleLogger = new ConsoleReplacementStringsLogger();
if (os_version.Major > 5)
{
remote_network_address_index = 18;
username_index = 5;
}
else
{
remote_network_address_index = 13;
krb_client_addr_index = 6;
username_index = 0;
}
//IEventLogger redisLogger = new RedisEventLogger(redisConnectionString, remote_network_address_index, username_index, false, redisTTL);
IEventFilter usernameFilter = new NOT_EventFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ username_index, @"^.*\$.*$" }
}));
/*handler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain);
* handler.RegisterFilter(usernameFilter);
* handler.RegisterLogger(consoleLogger);
* handler.RegisterLogger(redisLogger);
* handler.SetExceptionLogger(logger);*/
//Kerberos Ticket Request Event Handler
kerberosEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain, NetworkLogonEventSources.KERBEROS);
kerberosEventsHandler.RegisterFilter(usernameFilter);
kerberosEventsHandler.RegisterLogger(consoleLogger);
}
void Init()
{
redisConnectionString = Properties.Settings.Default["RedisServers"].ToString();
domain = Properties.Settings.Default["WindowsDomainRegex"].ToString();
usernameFilterRegex = Properties.Settings.Default["UsernameFilterRegex"].ToString();
parseKerberosEvents = Properties.Settings.Default["ParseKerberosEvents"].ToString().ToUpper() == "TRUE";
int.TryParse(Properties.Settings.Default["RedisTTL"].ToString(), out redisTTL);
var os_version = Environment.OSVersion.Version;
if (os_version.Major > 5)
{
if (parseKerberosEvents)
{
throw new Exception(@"Parsing kerberos events is not supported for this OS version yet");
}
username_index = 5;
remote_network_address_index = 18;
}
else
{
username_index = 0;
remote_network_address_index = 13;
remote_network_address_ticket_index = 6;
remote_network_address_tgt_index = 9;
logon_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_LOGON_NETWORK;
krb_tgt_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_TGT_GRANTED;
krb_service_ticket_granted_ev_code = (int)EventLogListener.WindowsEventCodes.WIN2K3_KRB_SERVICE_TICKET_GRANTED;
}
//Account Logon Event Handler
logonEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain);
//FILTERS
IEventFilter logon_event_codes_filter = new EventCodeFilter(new long[] { logon_ev_code });
IEventFilter usernameFilter = new NOT_EventFilter(new ReplacementStringFilter(new Dictionary <int, string>()
{
{ username_index, @"^.*\$" }
})); // Exclude machine accounts
logonEventsHandler.RegisterFilter(usernameFilter);
//LOGGERS
logonEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_index,
username_index,
0,
true,
redisTTL
)
);
logonEventsHandler.RegisterLogger(
new RedisTimeStampLogger(
redisConnectionString,
new int[] { username_index, remote_network_address_index },
0,
true,
redisTTL
)
);
logonEventsHandler.SetExceptionLogger(logger);
//Kerberos Ticket Request Event Handler
kerberosEventsHandler = NetworkLogonEventsHandlerFactory.Build(os_version.Major, domain, ip2userLib.NetworkLogonEventSources.KERBEROS);
//FILTERS
IEventFilter krb_event_codes_filter = new EventCodeFilter(new long[] { krb_service_ticket_granted_ev_code, krb_tgt_granted_ev_code });
kerberosEventsHandler.RegisterFilter(krb_event_codes_filter);
kerberosEventsHandler.RegisterFilter(usernameFilter);
//LOGGERS
kerberosEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_ticket_index,
username_index,
krb_service_ticket_granted_ev_code,
true,
redisTTL
)
);
kerberosEventsHandler.RegisterLogger(
new RedisReplacementStringLogger(
redisConnectionString,
remote_network_address_tgt_index,
username_index,
krb_tgt_granted_ev_code,
true,
redisTTL
)
);
kerberosEventsHandler.SetExceptionLogger(logger);
}
