Quantcast

Re: OpenWSMan; Using Linux to collect events from Windows

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenWSMan; Using Linux to collect events from Windows

Clifford Heath
Klaus (and the list, if this message is accepted),

Thanks for your offer to help.

>> I’m trying to set up openwsman to collect events from Windows Server 2008 systems.
>> Neither the Microsoft documentation nor openwsman helps much, because they both
>> seem to assume that you’re using only one kind of system.
>
> I'd like to enhance the Openwsman documentation. So every piece of
> information you can give me is valuable.
>
> I have limited access to Windows systems but can try to reproduce
> issues with good explanations. Can you tell me how to set up eventing
> in Windows ?
Event Logging is configured on a vanilla install of Windows Server
2003 or more recent. I’m interested in the Kerberos Logins and some
other events I won’t detail here.

I’m testing it with a Windows Server 2008 instance in VMWare.
It has been configured with a host-only network (for convenience)
and an isolated network on which I have a couple of other VMs.

The Server is set up as a Domain Controller, meaning it has Kerberos
and Active Directory. It’s also running DHCP (on the isolated LAN),
DNS, and a RADIUS server, which is part of the Network Policy and
Access Server. RADIUS handles authentication for wireless access
points, but that’s not relevant here.

In the Server Manager control panel, I have these four roles (AD, DHCP,
DNS, NPS). The other top-level nodes in Server Manager are Features
(which I haven’t touched), Diagnostics (where the Event Viewer lives),
Configuration and Storage (haven’t touched the last 2).

So now I have a Subscription file written in XML, which should be
requested by the server from the Event Sink, and that configures the
collection of events, including the event queries which define what should
be sent. My file is sending the Kerberos Login/Logout events and some
others. The Event Query has been tested as a Custom View in the event
viewer.

I’ve attached a cut-down copy of the Subscription file for you to see what
they look like.

Now what is meant to happen for a Source-Initiated Subscription is that
you go into the Group Policy Editor, drill down to Computer Configuration->
Administrative Templates->Windows Components->Event Forwarding,
and you see “Configure the Server Address, refresh interval, etc”.
Double-click on that and you can enable and add a “Subscription Manager”
which has the URL of a machine where the Subscription XML file will be
fetched.

I have a wseventsink running on a Linux computer (with an SSH tunnel
so it is available to the source server).

This is where I’m stuck. I don’t know if openwsman has the ability to deliver
the subscription file. We have built a stand-alone event sink to receive the
events over HTTP (and that might yet cause authentication worries) but
the Windows machine is saying that my Subscription Manager URL is
invalid. Specifically, the text is:
“A subscription policy contains invalid configuration.  Description of policy is http://…”
This message appears in the Server Manager under Event Viewer->
Applications and Services Logs->Microsoft->Windows->Eventlog-Forwarding
Plugin->Operational.

So I’m trying to figure out how to set up this subscription so that:
(a) Windows will accept the URL via Policy and try to fetch the Subscription
(b) The Linux Event Sink will provide the Subscription file
(c) Windows will deliver events that match the query in the subscription.

Any help would be appreciated, even if you just tell me that this is not yet
supported in openwsman.

Clifford Heath.




------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Openwsman-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/openwsman-devel

events.xml (2K) Download Attachment
signature.asc (169 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenWSMan; Using Linux to collect events from Windows

Klaus Kaempf
* Clifford Heath <[hidden email]> [Feb 24. 2014 11:03]:
>
> This is where I’m stuck. I don’t know if openwsman has the ability to deliver
> the subscription file.

Probably is doesn't.

> We have built a stand-alone event sink to receive the
> events over HTTP (and that might yet cause authentication worries) but
> the Windows machine is saying that my Subscription Manager URL is
> invalid.

Can you do a network traffic analysis (using e.g. wireshark) ? I
wonder how the request for the subscription file looks like.

Maybe it's simple to implement ...

Klaus
--
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Maxfeldstraße 5, 90409 Nürnberg, Germany

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Openwsman-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/openwsman-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenWSMan; Using Linux to collect events from Windows

Clifford Heath
On 25 Feb 2014, at 8:27 pm, Klaus Kaempf <[hidden email]> wrote:
> * Clifford Heath <[hidden email]> [Feb 24. 2014 11:03]:
>>
>> This is where I’m stuck. I don’t know if openwsman has the ability to deliver
>> the subscription file.
> Probably is doesn’t.

Ok, Thanks Klaus, that tells me I definitely need to set up a second
Windows computer and attempt to snoop on the plain-text HTTP,
if I can persuade Windows to even do that.

>> We have built a stand-alone event sink to receive the
>> events over HTTP (and that might yet cause authentication worries) but
>> the Windows machine is saying that my Subscription Manager URL is
>> invalid.
> I wonder how the request for the subscription file looks like.
> Maybe it's simple to implement …

It should be, until you want to move to HTTPS with LM, Kerberos or GSS
encryption. But at present I don’t know how to configure it to even attempt
a connection :(.

Can anyone else on the list help with this?

Clifford Heath.

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Openwsman-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/openwsman-devel

signature.asc (169 bytes) Download Attachment
Loading...