1. 概述
1.1 本文目的
本文旨在描述如何在Windows 2003上监控用户密码修改和系统服务的启停
1.2 约定
本文部分功能需要可能需要启用相应的组策略编辑
本文所涉及用户或目录是假定的目录,比如本文约定工作目录 E:\sytem、监控命令执行的用户是systemMonitor
2. 创建事件触发监控
REM 监控任何用户密码重置时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Set /L security /EID 628 /TK E:\system\pwdChangeTask.bat REM 监控任何用户密码修改时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Change /L security /EID 627 /TK E:\system\pwdChangeTask.bat REM 监控服务启停时,使用systemMonitor用户执行E:\system\startStopService.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR service_Change /L system /EID 7035 /TK E:\system\startStopService.bat
3. E:\system\pwdChangeTask.bat
REM 输出日志文件路径 set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log REM 输出跳行标志,文件里面%SYS_MONI_LOGFILE%出现@@systemMonitor@@ SKIP LINES 解析时需要跳n行解析 echo @@systemMonitor@@ SKIP LINES >> %SYS_MONI_LOGFILE% REM 日志格式输出 CSCRIPT C:\Windows\system32\Eventquery.vbs /L Security /R 1 /FI "ID eq 627 OR ID eq 628" /V /FO CSV >> %SYS_MONI_LOGFILE%
4. E:\system\startStopService.bat
set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log echo @@systemMonitor@@ SKIP LINES >> %SYS_MONI_LOGFILE% CSCRIPT C:\Windows\system32\Eventquery.vbs /L system /R 1 /FI "ID eq 7035" /V /FO CSV >> %SYS_MONI_LOGFILE%
5. 附java解析日志代码
5.1 输出日志格式
@@systemMonitor@@ SKIP LINES Microsoft (R) Windows Script Host Version 5.6 版权所有(C) Microsoft Corporation 1996-2001。保留所有权利。 "类型","事件","时间日期","来源","计算机名","类别","用户","描述" "审核成功","628","2010-5-6 14:22:41","Security","BBK","帐户管理","BBK\achievo","设置了用户帐户密码: 目标帐户名: Guest 目标域: BBK 目标帐户 ID: BBK\Guest 调用方用户名: achievo 调用方域: BBK 调用方登录 ID: (0x0,0xF9D361C)"
5.2 java解析代码
package org.javaf.system.monitor;
import java.util.Calendar;
import org.javaf.common.utils.ReadTextFile;
import org.javaf.common.utils.WriteTextFile;
public class WindowsServerMonitor extends AbstractCommonMonitor {
protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd) {
String line;
while((line = rt.readLine()) != null) {
if(line.startsWith("@@systemMonitor@@ SKIP LINES")) {
this.skipLine(rt, 4);
continue;
}
if(line.indexOf(",") <=0 )
continue;
String contents[] = line.split(",");
if(contents.length < 8)
continue;
Calendar c = Calendar.getInstance();
c.set(Calendar.DAY_OF_YEAR,c.get(Calendar.DAY_OF_YEAR)-1);
int day = c.get(Calendar.DATE);
int month = c.get( Calendar.MONTH ) + 1;
String outLine = "";
if(day<10 && month < 10){
outLine = getContent(contents,2).substring(0, 8) + "|" + ip;
}else if(day > 10 && month > 10 ){
outLine = getContent(contents,2).substring(0, 10) + "|" + ip;
}else {
outLine = getContent(contents,2).substring(0, 9) + "|" + ip;
}
long pid = getContentToLong(contents,1);
if(pid == 627 || pid == 628) {
String opUser = getContent(contents,7).split(":")[2].trim().split("\\s")[0].trim();
outLine += "|" + ( pid == 628 ? "设置":"更改") + opUser + "密码";
outLine += "|" + getContent(contents,6);
outLine += "|1";
wtm.println(outLine);
}
else if(pid == 7035) {
String tmpStr = getContent(contents,7);
tmpStr = tmpStr.substring(tmpStr.length()-6,tmpStr.length()-4) +"\"" +tmpStr.substring(0,tmpStr.indexOf("服务")).trim() + "\"服务";
outLine += "|" + tmpStr + "|" + getContent(contents,6);
outLine += "|1";
if( outLine.indexOf( "WinHTTP Web Proxy Auto-Discovery Service" ) == -1 ){
wtd.println(outLine);
wtm.println(outLine);
}
}
}
}
private String getContent(String []contents ,int i) {
return contents[i].substring(1,contents[i].length() - 1);
}
private Long getContentToLong(String []contents ,int i) {
return Long.parseLong(getContent(contents,i));
}
}