日期:2014-05-17 浏览次数:21217 次
? 本文旨在描述如何在Windows 2003上监控用户密码修改和系统服务的启停
? 本文部分功能需要可能需要启用相应的组策略编辑
? 本文所涉及用户或目录是假定的目录,比如本文约定工作目录 E:\sytem、监控命令执行的用户是systemMonitor
?
REM 监控任何用户密码重置时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Set /L security /EID 628 /TK E:\system\pwdChangeTask.bat REM 监控任何用户密码修改时,使用systemMonitor用户执行E:\system\pwdChangeTask.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR password_Change /L security /EID 627 /TK E:\system\pwdChangeTask.bat REM 监控服务启停时,使用systemMonitor用户执行E:\system\startStopService.bat EVENTTRIGGERS /Create /RU systemMonitor /RP systemMonitor的密码 /TR service_Change /L system /EID 7035 /TK E:\system\startStopService.bat
?
?
?
REM 输出日志文件路径 set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log REM 输出跳行标志,文件里面%SYS_MONI_LOGFILE%出现@@systemMonitor@@ SKIP LINES 解析时需要跳n行解析 echo @@systemMonitor@@ SKIP LINES >> %SYS_MONI_LOGFILE% REM 日志格式输出 CSCRIPT C:\Windows\system32\Eventquery.vbs /L Security /R 1 /FI "ID eq 627 OR ID eq 628" /V /FO CSV >> %SYS_MONI_LOGFILE%
?
?
set SYS_MONI_LOGFILE=E:\system\logs\systemMonitor%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%.log echo @@systemMonitor@@ SKIP LINES >> %SYS_MONI_LOGFILE% CSCRIPT C:\Windows\system32\Eventquery.vbs /L system /R 1 /FI "ID eq 7035" /V /FO CSV >> %SYS_MONI_LOGFILE%
?
@@systemMonitor@@ SKIP LINES Microsoft (R) Windows Script Host Version 5.6 版权所有(C) Microsoft Corporation 1996-2001。保留所有权利。 "类型","事件","时间日期","来源","计算机名","类别","用户","描述" "审核成功","628","2010-5-6 14:22:41","Security","BBK","帐户管理","BBK\achievo","设置了用户帐户密码: 目标帐户名: Guest 目标域: BBK 目标帐户 ID: BBK\Guest 调用方用户名: achievo 调用方域: BBK 调用方登录 ID: (0x0,0xF9D361C)"
?
package org.javaf.system.monitor; import java.util.Calendar; import org.javaf.common.utils.ReadTextFile; import org.javaf.common.utils.WriteTextFile; public class WindowsServerMonitor extends AbstractCommonMonitor { protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd) { String line; while((line = rt.readLine()) != null) { if(line.startsWith("@@systemMonitor@@ SKIP LINES")) { this.skipLine(rt, 4); continue; } if(line.indexOf(",") <=0 ) continue; String contents[] = line.split(","); if(contents.length < 8) continue; Calendar c = Calendar.getInstance(); c.set(Calendar.DAY_OF_YEAR,c.get(Calendar.DAY_OF_YEAR)-1); int day = c.get(Calendar.DATE); int month = c.get( Calendar.MONTH ) + 1; String outLine = ""; if(day<10 && month < 10){ outLine = getContent(contents,2).substring(0, 8) + "|" + ip; }else if(day > 10 && month > 10 ){ outLine = getContent(contents,2).substring(0, 10) + "|" + ip; }else { outLine = getContent(contents,2).substring(0, 9) + "|" + ip; } long pid = getContentToLong(contents,1); if(pid == 627 || pid == 628) { String opUser = getContent(contents,7).split(":")[2].trim().split("\\s")[0].trim(); outLine += "|" + ( pid == 628 ? "设置":"更改") + opUser + "密码"; outLine += "|" + getContent(contents,6); outLine += "|1"; wtm.println(outLine); } else if(pid == 7035) { String tmpStr = getContent(contents,7); tmpStr = tmpStr.substring(tmpStr.length()-6,tmpStr.length()-4) +"\"" +tmpStr.substring(0,tmpStr.indexOf("服务")).trim() + "\"服务"; outLine += "|" + tmpStr + "|" + getContent(contents,6); outLine += "|1"; if( outLine.indexOf( "WinHTTP Web Pr