Anonymous_User Absent Member.
Absent Member.
392 views

How to write the session collector?


Dear All,

I am delivering a sentinel project for our customer, Customer need to
collect exchange pop3 connect logs, They focus on sensitive account
logon success and failure from invalid client ip, but I found pop3 user
logon failure event are included in multiple logs with same sessionID,
I don`t how to write session collector, Can anyone help me? thanks!

pop3 user failure logon logs are following:

dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: POP3 Log
#Date: 2013-06-28T00:00:00.587Z
#Fields:
dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
2013-06-28T00:04:00.067Z,000000000000BC6B,0,10.108.248.26:110,218.17.164.20:26039,,-2147483648,0,51,OpenSession,,
2013-06-28T00:04:00.083Z,000000000000BC6B,1,10.108.248.26:110,218.17.164.20:26039,,0,23,5,user,zouminghua@tcl.com,R=ok
2013-06-28T00:04:00.114Z,000000000000BC6B,2,10.108.248.26:110,218.17.164.20:26039,,15,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";Msg=LogonFailed:LoginDenied"
2013-06-28T00:04:00.114Z,000000000000BC6B,3,10.108.248.26:110,218.17.164.20:26039,,0,4,61,quit,,R=ok

these logs have same sessionid, but "-ERR Logon failure" logs don`t
include username, but the second log(user,zouminghua@tcl.com) does not
include logon failure information but only include user information.

How to write the session collector? Thanks!

BR
Steve zeng


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48087

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to write the session collector?

Since you do not mention it I assume you have not seen the relevant
section in the collector plugin development documentation. Hopefully this
helps:

http://www.novell.com/developer/plugin-sdk/collector_sessions.html

Other examples are present in the Novell/NetIQ eDirectory collector
plugin, or the Novell Open Enterprise Server (OES) collector plugin.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to write the session collector?


Hi Steve,

It's a little hard to help you without providing more context. How you
use the Session method depends a bit on exactly what the input looks
like - do you always have the same number of lines in a Session, or does
it vary? Does a new 'sessionid' in a new input line always indicate the
start of a new input record? Including more than just a few lines of
input would help.

In general, what you want to do is write your code to accumulate lines
in a Session object based on some key. In this case the key will likely
be the 'sessionid' from the input lines, although you may want to
concatenate the EventSourceID (rv24) in case you have multiple sources
feeding your Collector (in which case even if an individual source
guarantees unique sessionids, you may end up with conflicts across
sources).

So, basically something like this:

var sess = Session.get(this.sessionid+this.s_RV24); // Checks to see if
there's already a Session for this id and source
if (sess) {
sess.store(this);
} else {
sess = new Session(this.sessionid+this.s_RV24);
sess.addParser(instance.PARSER.audit);
sess.store(this);
}

So all this does is accumulate input lines into Sessions based on the
sessionid and source, creating a new Session if one doesn't already
exist. I've assumed that you've parsed out the input line into named
variables, note - more likely you'd have 'this.line[1]' or something.

The next bit depends on determining how to cause the Sessions to
actually be parsed; you can do this based on a fixed number of records,
a timer, and so forth. If you know that there are always exactly four
lines that make up a record, you can set the sess.MaxRecs value to 4 -
as soon as the Session has four lines, it will be parsed. The timer is
used for cases where you're waiting for some followup record to arrive
(or not arrive) and the parsing will be based on that.

In this case I'll assume that there's a variable number of lines in a
single record, and that the only way to tell if a new record is starting
to come in is that a new line contains a different sessionid. To detect
this, you'll need to cache the previous sessionid, and compare the
current one to that old one. You can cache the previous sessionid in
instance.CACHE.<something> - you might want to make this a hash based on
rv24 to distinguish between sources. Then you just check if the most
recently received sessionid is different, and if so, look up the Session
for the previous sessionid and expire it. Something like:

if ( this.sessionid != instance.CACHE.Sessions[rv24] ) {
var sess = Session.get(this.rv24+instance.CACHE.Sessions[rv24]);
sess.MaxRevs=1; // Will trigger parsing for the Session, since it has
more than one record
instance.CACHE.Sessions.rv24=this.sessionid;
}

There are a few more details here, for example you have to initialize
the cache, and this code has to be integrated with the above, but you
should get the idea.

Good luck!


sess.MaxRecs = 1;


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=48087

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to write the session collector?


Thank you very much for your guidance, This is a customer
sentinel project, they need to know pop3 user logon success and failure
via pop3 connect logs, logs content are following:

pop3 logs header information:
---------------------------------------------------------------------------------------------------------------------------------
dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
#Software: Microsoft Exchange Server
#Version: 14.0.0.0
#Log-type: POP3 Log
#Date: 2013-06-23T00:00:11.852Z
#Fields:
dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
------------------------------------------------------------------------------------------------------------------------------------------

pop3 success logon:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
2013-06-28T06:00:00.764Z,000000000000D1AE,0,10.108.248.26:110,10.108.13.52:52820,,-2147483648,0,51,OpenSession,,
2013-06-28T06:00:00.889Z,000000000000D1AE,1,10.108.248.26:110,10.108.13.52:52820,,0,15,5,user,zhengzhong,R=ok;RpcL=-1;LdapL=-1
2013-06-28T06:00:00.936Z,000000000000D1AE,2,10.108.248.26:110,10.108.13.52:52820,zhengzhong,46,10,34,pass,*****,"R=ok;RpcL=-1;LdapL=-1;Msg=User:Ö£ÖÐ:c8cbed00-bec6-4e49-96d8-3f7c7223261e:MailboxDatabase02(IT):P1GLEXGBE01.csot.TCL.com;Budget=""Conn:0,HangingConn:0,(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
2013-06-28T06:00:00.936Z,000000000000D1AE,3,10.108.248.26:110,10.108.13.52:52820,zhengzhong,0,4,19,stat,,"R=ok;RpcL=-1;LdapL=-1;Rows=294;(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
2013-06-28T06:00:00.936Z,000000000000D1AE,4,10.108.248.26:110,10.108.13.52:52820,zhengzhong,0,4,2840,uidl,,"R=ok;Budget=""Conn:0,HangingConn:0,AD:$null/$null/0%,CAS:$null/$null/1%,AB:$null/$null/0%,RPC:$null/$null/0%,FC:1000/0,Norm[Resources:(DC)P1GLINFAD03.csot.TCL.com(Health:-1%,HistLoad:0),(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""
2013-06-28T06:00:00.983Z,000000000000D1AE,6,10.108.248.26:110,10.108.13.52:52820,zhengzhong,0,4,61,quit,,"R=ok;Budget=""Conn:0,HangingConn:0,(Mdb)MailboxDatabase02(IT)(Health:-1%,HistLoad:0),]"""

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I found success logon logs must include "Opensession", "user,",
"pass,*****,"R=ok", "quit", But identify success logon event only need
the third event included "pass,******,"R=ok"", customer need to gain
sourceip, destinationip(exchange server),username,datetime information.

But pop3 logon failure events need to combine the second and the third
event to gain necessary information, if use session collector, Do logon
success logs need to use session method to parsing it? thanks!

pop3 failure logon:

2013-06-28T06:00:29.594Z,000000000000D1B4,0,10.108.248.26:110,10.108.66.146:50019,,-2147483648,0,51,OpenSession,,
2013-06-28T06:00:29.594Z,000000000000D1B4,1,10.108.248.26:110,10.108.66.146:50019,,0,19,5,user,daiwei,R=ok;RpcL=-1;LdapL=-1
2013-06-28T06:00:29.719Z,000000000000D1B4,2,10.108.248.26:110,10.108.66.146:50019,,124,10,56,pass,*****,"R=""-ERR
Logon failure: unknown user name or bad
password."";RpcL=-1;LdapL=-1;Msg=LogonFailed:LoginDenied"
2013-06-28T06:00:29.719Z,000000000000D1B4,3,10.108.248.26:110,10.108.66.146:50019,,0,4,61,quit,,R=ok

Thanks again!!

BR


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48087

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to write the session collector?


Dears,

thank you very much again, but i still have many doubts to need you
answer as following(please notes my doubts description after "//" 😞

Collector.prototype.initialize = function(){

// Define a Session parser and store it in a global area for easy
retrieval
this.PARSER.parseCreateSessions = function() {
var newEvt = new Event(instance.protoEvt);
var sessRecs = this.retrieve(); // Get the stored Records from
the Session, does sessRecs have two events included username and logon
failure informations?
sessRecs[0] = sessRecs[1]; // it seems only get the first event
included username information, how to get the second events(logon
failure)?
sessRecs[0].parseRecData(newEvt); // how to write the parsing
codes?
this.send(newEvt); // i don`t know what format is the event?
}
return true;
};

Record.prototype.parse = function(e){
// Detect object creation events
if
(/^\d{4}\-\d+\-\d+T\d+:\d+:\d+\.\d+Z,(\d+[A-Z0-9]+),.*user,.*,R=ok$/.test(this.s_RXBufferString))
{
sesskey = this.s_RV24 + ":" + RegExp.$1;
sess = new Session(sesskey, 2);
sess.store(this);
sess.addParser(instance.PARSER.parseCreateSessions); // it will
do the action until it has two events(username and logon failure)?
return false; // Short circuit the normal loop
} else if (/^\d{4}\-\d+\-\d+T\d+:\d+:\d+\.\d+Z,(\d+[A-Z0-9]+),.*-ERR
Logon failure:.*/.test(this.s_RXBufferString)){
var sesskey1 = this.s_RV24 + ":" + RegExp.$1;
if (sesskey1 = sesskey) { // does the sesskey has value from
below parsing?
sess.store(this);
return false;
}
} else {
return false;
}
};

steve_zeng;230937 Wrote:
> Dear All,
>
> I am delivering a sentinel project for our customer, Customer need to
> collect exchange pop3 connect logs, They focus on sensitive account
> logon success and failure from invalid client ip, but I found pop3 user
> logon failure event are included in multiple logs with same sessionID,
> I don`t how to write session collector, Can anyone help me? thanks!
>
> pop3 user failure logon logs are following:
>
> dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
> #Software: Microsoft Exchange Server
> #Version: 14.0.0.0
> #Log-type: POP3 Log
> #Date: 2013-06-28T00:00:00.587Z
> #Fields:
> dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
> 2013-06-28T00:04:00.067Z,000000000000BC6B,0,10.108.248.26:110,218.17.164.20:26039,,-2147483648,0,51,OpenSession,,
> 2013-06-28T00:04:00.083Z,000000000000BC6B,1,10.108.248.26:110,218.17.164.20:26039,,0,23,5,user,zouminghua@tcl.com,R=ok
> 2013-06-28T00:04:00.114Z,000000000000BC6B,2,10.108.248.26:110,218.17.164.20:26039,,15,10,56,pass,*****,"R=""-ERR
> Logon failure: unknown user name or bad
> password."";Msg=LogonFailed:LoginDenied"
> 2013-06-28T00:04:00.114Z,000000000000BC6B,3,10.108.248.26:110,218.17.164.20:26039,,0,4,61,quit,,R=ok
>
> these logs have same sessionid, but "-ERR Logon failure" logs don`t
> include username, but the second log(user,zouminghua@tcl.com) does not
> include logon failure information but only include user information.
>
> How to write the session collector? Thanks!
>
> BR
> Steve zeng



--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=48087

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.