日期:2014-05-17  浏览次数:21217 次

Windows 2003下监控用户密码修改&服务启停

1. 概述

1.1 本文目的

? 本文旨在描述如何在Windows 2003上监控用户密码修改和系统服务的启停

1.2 约定

? 本文部分功能需要可能需要启用相应的组策略编辑

? 本文所涉及用户或目录是假定的目录,比如本文约定工作目录 E:\sytem、监控命令执行的用户是systemMonitor

?

2. 创建事件触发监控

REM 监控任何用户密码重置时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat
EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Set /L security /EID 628 /TK E:\system\pwdChangeTask.bat

REM 监控任何用户密码修改时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat
EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Change /L security /EID 627 /TK E:\system\pwdChangeTask.bat

REM 监控服务启停时,使用systemMonitor用户执行E:\system\startStopService.bat
EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR service_Change /L system /EID 7035 /TK E:\system\startStopService.bat

?

?

?

3. E:\system\pwdChangeTask.bat

REM 输出日志文件路径
set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log

REM 输出跳行标志,文件里面%SYS_MONI_LOGFILE%出现@@systemMonitor@@ SKIP LINES  解析时需要跳n行解析
echo @@systemMonitor@@ SKIP LINES  >> %SYS_MONI_LOGFILE%

REM 日志格式输出
CSCRIPT C:\Windows\system32\Eventquery.vbs /L Security /R 1 /FI "ID eq 627 OR ID eq 628" /V /FO CSV >> %SYS_MONI_LOGFILE%

?

?

4. E:\system\startStopService.bat

set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log
echo @@systemMonitor@@ SKIP LINES >> %SYS_MONI_LOGFILE%
CSCRIPT C:\Windows\system32\Eventquery.vbs /L system /R 1 /FI "ID eq 7035" /V /FO CSV >> %SYS_MONI_LOGFILE%

?

5. 附java解析日志代码

? 5.1 输出日志格式

@@systemMonitor@@ SKIP LINES  
Microsoft (R) Windows Script Host Version 5.6
版权所有(C) Microsoft Corporation 1996-2001。保留所有权利。

"类型","事件","时间日期","来源","计算机名","类别","用户","描述"
"审核成功","628","2010-5-6 14:22:41","Security","BBK","帐户管理","BBK\achievo","设置了用户帐户密码:  	目标帐户名:	Guest  	目标域:	BBK  	目标帐户 ID:	BBK\Guest  	调用方用户名:	achievo  	调用方域:	BBK  	调用方登录 ID:	(0x0,0xF9D361C)"

?

? 5.2 java解析代码

package org.javaf.system.monitor;
import java.util.Calendar;

import org.javaf.common.utils.ReadTextFile;
import org.javaf.common.utils.WriteTextFile;
public class WindowsServerMonitor extends AbstractCommonMonitor {
	protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd) {
		String line;
		while((line = rt.readLine()) != null) {
			if(line.startsWith("@@systemMonitor@@ SKIP LINES")) {
				this.skipLine(rt, 4);
				continue;
			}
			if(line.indexOf(",") <=0 )
				continue;
			String contents[] = line.split(",");
			if(contents.length < 8)
				continue;
			Calendar c = Calendar.getInstance();
			c.set(Calendar.DAY_OF_YEAR,c.get(Calendar.DAY_OF_YEAR)-1);
			int day = c.get(Calendar.DATE);
			int month = c.get( Calendar.MONTH ) + 1;
			String outLine = "";
			if(day<10 && month < 10){
				outLine = getContent(contents,2).substring(0, 8) + "|" + ip;
			}else if(day > 10 && month > 10 ){
				outLine = getContent(contents,2).substring(0, 10) + "|" + ip;
			}else {
				outLine = getContent(contents,2).substring(0, 9) + "|" + ip;
			}
			long pid = getContentToLong(contents,1);
			if(pid == 627 || pid == 628) {
				String opUser = getContent(contents,7).split(":")[2].trim().split("\\s")[0].trim();
				outLine += "|" + ( pid == 628 ? "设置":"更改") + opUser + "密码";
				outLine += "|" + getContent(contents,6);
				outLine += "|1";
				wtm.println(outLine);
			}
			else if(pid == 7035) {
				String tmpStr = getContent(contents,7);
				tmpStr = tmpStr.substring(tmpStr.length()-6,tmpStr.length()-4) +"\"" +tmpStr.substring(0,tmpStr.indexOf("服务")).trim() + "\"服务";
				outLine += "|" + tmpStr + "|" + getContent(contents,6);
				outLine += "|1";
				if( outLine.indexOf( "WinHTTP Web Pr