通过Sysmon+Nxlogs收集Windows Server 2012服务器日志-并以Syslog形式发送Json格式数据至SIEM

0x01 环境介绍

Windows Server 2012 已经安装部署好了域控，目的除了收集Windows服务器本身的日志外还收集域控环境下的各种日志。

0x02 Nxlog配置和使用

• 使用社区版本即可，下载地址：
• https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition



• 
  
• 使用的版本是当前最新版本
• 安装过程就省略，下一步下一步一路走下去即可。
• 最终安装在C盘下默认的目录
• 下面就是准备修改配置

0x03 安装Sysmon

• Sysmon安装很简单，下载GitHub提供的配置文件，使其能收集想要的日志
• 参考：
  https://cloud.tencent.com/developer/article/1970103https://github.com/SwiftOnSecurity/sysmon-confighttps://github.com/trustedsec/SysmonCommunityGuide
• 配置文件：
  https://github.com/Neo23x0/sysmon-confighttps://github.com/SwiftOnSecurity/sysmon-config
• 下载Sysmon
  https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• 执行安装
  sysmon.exe -accepteula -i sysmonconfig-export.xml

0x04 开启Windows服务器审核策略

• https://learn.microsoft.com/zh-cn/windows/security/threat-protection/auditing/basic-security-audit-policies
• https://forum.butian.net/share/355



• 
  

0x05 修改Nxlog配置文件

• 本次是需要收集Windows服务器System，Security，Application，Sysmon，Powershell的相关日志
• 配置文件详情

Panic Soft
#NoFreeOnExit TRUE

define ROOT     C:\Program Files\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf\nxlog.d
define LOGDIR   %ROOT%\data

include %CONFDIR%\\*.conf
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension json>
    Module      xm_json
</Extension>

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input internal>
    Module      im_internal
</Input>

<Extension _charconv>
    Module      xm_charconv
    AutodetectCharsets gbk, iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Extension _fileop>
    Module      xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        Exec    if (file_exists('%LOGFILE%') and \
                   (file_size('%LOGFILE%') >= 5M)) \
                    file_cycle('%LOGFILE%', 8);
    </Schedule>

    <Schedule>
        When    @weekly
        Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
    </Schedule>
</Extension>

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*</Select>\
                        <Select Path="System">*</Select>\
                        <Select Path="Security">*</Select>\
                        <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>\
                        <Select Path="Microsoft-Windows-PowerShell/Operational">*</Select>\
                    </Query>\
                </QueryList>
    Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>

<Output out>
     Module      om_udp
     Host        192.168.50.20
     Port        536
     Exec        $EventTime = integer($EventTime) / 1000000;
     Exec        $EventReceivedTime = integer($EventReceivedTime) / 1000000;
     Exec        $Message = to_json(); to_syslog_bsd();
</Output>

<Route 1>
Path    eventlog, internal => out
</Route>

• 可参考借鉴的配置文件
  https://github.com/SMAPPER/NXLog-AutoConfighttps://github.com/Starke427/NXloghttps://github.com/Hacks4Snacks/windows-nxloghttps://github.com/Sep0lkit/Windows-Event-Forwarderhttps://github.com/thefaxe/nxlog-confighttps://github.com/acochenour/AND-NXLog-Windows-Configurationhttps://github.com/smiley2x4/NXLOG-Example-confhttps://github.com/noobzero/siem-and-event-forwarding-configshttps://github.com/sandeep663/windows
• 重启Nxlog服务

0x06 SIEM平台确认日志接收情况

• 这里接收过来的日志需要先使用grok解析为json格式，然后再解析json，生成每个字段，然后基于字段进行日常安全运营配置相关策略进行告警。
• 使用到的Grok语法

.+]: %{GREEDYDATA:windows2012_json}

• 原始日志

<14>Feb 23 21:20:20 SHUNANDC2012.shunanatomic.com Microsoft-Windows-Security-Auditing[512]: {"EventTime":1677158419,"Hostname":"SHUNANDC2012.shunanatomic.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4634,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12545,"OpcodeValue":0,"RecordNumber":516532,"ProcessID":512,"ThreadID":4984,"Channel":"Security","Message":"已注销帐户。\r\n\r\n使用者:\r\n\t安全 ID:\t\tS-1-5-18\r\n\t帐户名:\t\tSHUNANDC2012$\r\n\t帐户域:\t\tSHUNANATOMIC\r\n\t登录 ID:\t\t0xBB2EC6\r\n\r\n登录类型:\t\t\t3\r\n\r\n在登录会话被破坏时生成此事件。可以使用登录 ID 值将它和一个登录事件准确关联起来。在同一台计算机上重新启动的区间中，登录 ID 是唯一的。","Category":"注销","Opcode":"信息","TargetUserSid":"S-1-5-18","TargetUserName":"SHUNANDC2012$","TargetDomainName":"SHUNANATOMIC","TargetLogonId":"0xbb2ec6","LogonType":"3","EventReceivedTime":1677158420,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

• 进行Json格式解析
  

0x07 SIEM平台效果展示

迷茫的人生，需要不断努力，才能看清远方模糊的志向！