Home

Results 1 to 5 of 5

Thread: How to write the session collector?

  1. #1
    steve zeng NNTP User

    How to write the session collector?


    Dear All,

    I am delivering a sentinel project for our customer, Customer need to
    collect exchange pop3 connect logs, They focus on sensitive account
    logon success and failure from invalid client ip, but I found pop3 user
    logon failure event are included in multiple logs with same sessionID,
    I don`t how to write session collector, Can anyone help me? thanks!

    pop3 user failure logon logs are following:

    dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    #Software: Microsoft Exchange Server
    #Version: 14.0.0.0
    #Log-type: POP3 Log
    #Date: 2013-06-28T00:00:00.587Z
    #Fields:
    dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    2013-06-28T00:04:00.067Z,000000000000BC6B,0,10.108.248.26: 110,218.17.164.20:26039,,-2147483648,0,51,OpenSession,,
    2013-06-28T00:04:00.083Z,000000000000BC6B,1,10.108.248.26: 110,218.17.164.20:26039,,0,23,5,user,zouminghua@tc l.com,R=ok
    2013-06-28T00:04:00.114Z,000000000000BC6B,2,10.108.248.26: 110,218.17.164.20:26039,,15,10,56,pass,*****,"R=""-ERR
    Logon failure: unknown user name or bad
    password."";Msg=LogonFailed:LoginDenied"
    2013-06-28T00:04:00.114Z,000000000000BC6B,3,10.108.248.26: 110,218.17.164.20:26039,,0,4,61,quit,,R=ok

    these logs have same sessionid, but "-ERR Logon failure" logs don`t
    include username, but the second log(user,zouminghua@tcl.com) does not
    include logon failure information but only include user information.

    How to write the session collector? Thanks!

    BR
    Steve zeng


    --
    steve_zeng
    ------------------------------------------------------------------------
    steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
    View this thread: https://forums.netiq.com/showthread.php?t=48087


  2. #2
    ab NNTP User

    Re: How to write the session collector?

    Since you do not mention it I assume you have not seen the relevant
    section in the collector plugin development documentation. Hopefully this
    helps:

    http://www.novell.com/developer/plug..._sessions.html

    Other examples are present in the Novell/NetIQ eDirectory collector
    plugin, or the Novell Open Enterprise Server (OES) collector plugin.

    Good luck.

  3. #3
    DCorlette NNTP User

    Re: How to write the session collector?


    Hi Steve,

    It's a little hard to help you without providing more context. How you
    use the Session method depends a bit on exactly what the input looks
    like - do you always have the same number of lines in a Session, or does
    it vary? Does a new 'sessionid' in a new input line always indicate the
    start of a new input record? Including more than just a few lines of
    input would help.

    In general, what you want to do is write your code to accumulate lines
    in a Session object based on some key. In this case the key will likely
    be the 'sessionid' from the input lines, although you may want to
    concatenate the EventSourceID (rv24) in case you have multiple sources
    feeding your Collector (in which case even if an individual source
    guarantees unique sessionids, you may end up with conflicts across
    sources).

    So, basically something like this:

    var sess = Session.get(this.sessionid+this.s_RV24); // Checks to see if
    there's already a Session for this id and source
    if (sess) {
    sess.store(this);
    } else {
    sess = new Session(this.sessionid+this.s_RV24);
    sess.addParser(instance.PARSER.audit);
    sess.store(this);
    }

    So all this does is accumulate input lines into Sessions based on the
    sessionid and source, creating a new Session if one doesn't already
    exist. I've assumed that you've parsed out the input line into named
    variables, note - more likely you'd have 'this.line[1]' or something.

    The next bit depends on determining how to cause the Sessions to
    actually be parsed; you can do this based on a fixed number of records,
    a timer, and so forth. If you know that there are always exactly four
    lines that make up a record, you can set the sess.MaxRecs value to 4 -
    as soon as the Session has four lines, it will be parsed. The timer is
    used for cases where you're waiting for some followup record to arrive
    (or not arrive) and the parsing will be based on that.

    In this case I'll assume that there's a variable number of lines in a
    single record, and that the only way to tell if a new record is starting
    to come in is that a new line contains a different sessionid. To detect
    this, you'll need to cache the previous sessionid, and compare the
    current one to that old one. You can cache the previous sessionid in
    instance.CACHE.<something> - you might want to make this a hash based on
    rv24 to distinguish between sources. Then you just check if the most
    recently received sessionid is different, and if so, look up the Session
    for the previous sessionid and expire it. Something like:

    if ( this.sessionid != instance.CACHE.Sessions[rv24] ) {
    var sess = Session.get(this.rv24+instance.CACHE.Sessions[rv24]);
    sess.MaxRevs=1; // Will trigger parsing for the Session, since it has
    more than one record
    instance.CACHE.Sessions.rv24=this.sessionid;
    }

    There are a few more details here, for example you have to initialize
    the cache, and this code has to be integrated with the above, but you
    should get the idea.

    Good luck!


    sess.MaxRecs = 1;


    --
    DCorlette
    ------------------------------------------------------------------------
    DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
    View this thread: https://forums.netiq.com/showthread.php?t=48087


  4. #4
    steve zeng NNTP User

    Re: How to write the session collector?


    Thank you very much for your guidance, This is a customer
    sentinel project, they need to know pop3 user logon success and failure
    via pop3 connect logs, logs content are following:

    pop3 logs header information:
    ---------------------------------------------------------------------------------------------------------------------------------
    dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    #Software: Microsoft Exchange Server
    #Version: 14.0.0.0
    #Log-type: POP3 Log
    #Date: 2013-06-23T00:00:11.852Z
    #Fields:
    dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    ------------------------------------------------------------------------------------------------------------------------------------------

    pop3 success logon:
    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------
    2013-06-28T06:00:00.764Z,000000000000D1AE,0,10.108.248.26: 110,10.108.13.52:52820,,-2147483648,0,51,OpenSession,,
    2013-06-28T06:00:00.889Z,000000000000D1AE,1,10.108.248.26: 110,10.108.13.52:52820,,0,15,5,user,zhengzhong,R=o k;RpcL=-1;LdapL=-1
    2013-06-28T06:00:00.936Z,000000000000D1AE,2,10.108.248.26: 110,10.108.13.52:52820,zhengzhong,46,10,34,pass,** ***,"R=ok;RpcL=-1;LdapL=-1;Msg=User:֣:c8cbed00-bec6-4e49-96d8-3f7c7223261e:MailboxDatabase02(IT):P1GLEXGBE01.cso t.TCL.com;Budget=""Conn:0,HangingConn:0,(Mdb)Mailb oxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
    2013-06-28T06:00:00.936Z,000000000000D1AE,3,10.108.248.26: 110,10.108.13.52:52820,zhengzhong,0,4,19,stat,,"R= ok;RpcL=-1;LdapL=-1;Rows=294;(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
    2013-06-28T06:00:00.936Z,000000000000D1AE,4,10.108.248.26: 110,10.108.13.52:52820,zhengzhong,0,4,2840,uidl,," R=ok;Budget=""Conn:0,HangingConn:0,AD:$null/$null/0%,CAS:$null/$null/1%,AB:$null/$null/0%,RPC:$null/$null/0%,FC:1000/0,Norm[ResourcesDC)P1GLINFAD03.csot.TCL.com(Health:-1%,HistLoad:0),(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
    2013-06-28T06:00:00.983Z,000000000000D1AE,6,10.108.248.26: 110,10.108.13.52:52820,zhengzhong,0,4,61,quit,,"R= ok;Budget=""Conn:0,HangingConn:0,(Mdb)MailboxDatab ase02(IT)(Health:-1%,HistLoad:0),]"""

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    I found success logon logs must include "Opensession", "user,",
    "pass,*****,"R=ok", "quit", But identify success logon event only need
    the third event included "pass,******,"R=ok"", customer need to gain
    sourceip, destinationip(exchange server),username,datetime information.

    But pop3 logon failure events need to combine the second and the third
    event to gain necessary information, if use session collector, Do logon
    success logs need to use session method to parsing it? thanks!

    pop3 failure logon:

    2013-06-28T06:00:29.594Z,000000000000D1B4,0,10.108.248.26: 110,10.108.66.146:50019,,-2147483648,0,51,OpenSession,,
    2013-06-28T06:00:29.594Z,000000000000D1B4,1,10.108.248.26: 110,10.108.66.146:50019,,0,19,5,user,daiwei,R=ok;R pcL=-1;LdapL=-1
    2013-06-28T06:00:29.719Z,000000000000D1B4,2,10.108.248.26: 110,10.108.66.146:50019,,124,10,56,pass,*****,"R=" "-ERR
    Logon failure: unknown user name or bad
    password."";RpcL=-1;LdapL=-1;Msg=LogonFailed:LoginDenied"
    2013-06-28T06:00:29.719Z,000000000000D1B4,3,10.108.248.26: 110,10.108.66.146:50019,,0,4,61,quit,,R=ok

    Thanks again!!

    BR


    --
    steve_zeng
    ------------------------------------------------------------------------
    steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
    View this thread: https://forums.netiq.com/showthread.php?t=48087


  5. #5
    steve zeng NNTP User

    Re: How to write the session collector?


    Dears,

    thank you very much again, but i still have many doubts to need you
    answer as following(please notes my doubts description after "//" ):

    Collector.prototype.initialize = function(){

    // Define a Session parser and store it in a global area for easy
    retrieval
    this.PARSER.parseCreateSessions = function() {
    var newEvt = new Event(instance.protoEvt);
    var sessRecs = this.retrieve(); // Get the stored Records from
    the Session, does sessRecs have two events included username and logon
    failure informations?
    sessRecs[0] = sessRecs[1]; // it seems only get the first event
    included username information, how to get the second events(logon
    failure)?
    sessRecs[0].parseRecData(newEvt); // how to write the parsing
    codes?
    this.send(newEvt); // i don`t know what format is the event?
    }
    return true;
    };

    Record.prototype.parse = function(e){
    // Detect object creation events
    if
    (/^\d{4}\-\d+\-\d+T\d+:\d+:\d+\.\d+Z,(\d+[A-Z0-9]+),.*user,.*,R=ok$/.test(this.s_RXBufferString))
    {
    sesskey = this.s_RV24 + ":" + RegExp.$1;
    sess = new Session(sesskey, 2);
    sess.store(this);
    sess.addParser(instance.PARSER.parseCreateSessions ); // it will
    do the action until it has two events(username and logon failure)?
    return false; // Short circuit the normal loop
    } else if (/^\d{4}\-\d+\-\d+T\d+:\d+:\d+\.\d+Z,(\d+[A-Z0-9]+),.*-ERR
    Logon failure:.*/.test(this.s_RXBufferString)){
    var sesskey1 = this.s_RV24 + ":" + RegExp.$1;
    if (sesskey1 = sesskey) { // does the sesskey has value from
    below parsing?
    sess.store(this);
    return false;
    }
    } else {
    return false;
    }
    };

    steve_zeng;230937 Wrote:
    > Dear All,
    >
    > I am delivering a sentinel project for our customer, Customer need to
    > collect exchange pop3 connect logs, They focus on sensitive account
    > logon success and failure from invalid client ip, but I found pop3 user
    > logon failure event are included in multiple logs with same sessionID,
    > I don`t how to write session collector, Can anyone help me? thanks!
    >
    > pop3 user failure logon logs are following:
    >
    > dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    > #Software: Microsoft Exchange Server
    > #Version: 14.0.0.0
    > #Log-type: POP3 Log
    > #Date: 2013-06-28T00:00:00.587Z
    > #Fields:
    > dateTime,sessionId,seqNumber,sIp,cIp,user,duration ,rqsize,rpsize,command,parameters,context
    > 2013-06-28T00:04:00.067Z,000000000000BC6B,0,10.108.248.26: 110,218.17.164.20:26039,,-2147483648,0,51,OpenSession,,
    > 2013-06-28T00:04:00.083Z,000000000000BC6B,1,10.108.248.26: 110,218.17.164.20:26039,,0,23,5,user,zouminghua@tc l.com,R=ok
    > 2013-06-28T00:04:00.114Z,000000000000BC6B,2,10.108.248.26: 110,218.17.164.20:26039,,15,10,56,pass,*****,"R=""-ERR
    > Logon failure: unknown user name or bad
    > password."";Msg=LogonFailed:LoginDenied"
    > 2013-06-28T00:04:00.114Z,000000000000BC6B,3,10.108.248.26: 110,218.17.164.20:26039,,0,4,61,quit,,R=ok
    >
    > these logs have same sessionid, but "-ERR Logon failure" logs don`t
    > include username, but the second log(user,zouminghua@tcl.com) does not
    > include logon failure information but only include user information.
    >
    > How to write the session collector? Thanks!
    >
    > BR
    > Steve zeng



    --
    steve_zeng
    ------------------------------------------------------------------------
    steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
    View this thread: https://forums.netiq.com/showthread.php?t=48087


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •