search

devnulli / EvlWatcher

a "fail2ban" style modular log file analyzer for windows
MIT License
416 stars 51 forks source link

Don't work #106

Closed AnalitikSamara closed 1 year ago

AnalitikSamara commented 1 year ago

I installed v2.1.5 on Windows 7 Prof 64-bit, made (consecutive) several attempts to connect via RDP with the wrong password - events were registered in the failure audit log, but EvlWatcher did not detect them and the blocking did not work.

Immediately after the first launch, the following messages appeared in the "Live" window:

30.11.2022 17:18:32 - [Info]: Event Log Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational was not found, tasks that require these events will not work and are disabled. 30.11.2022 17:18:32 - [Info]: Event Log OpenSSH/Operational was not found, tasks that require these events will not work and are disabled.

1) What am I doing wrong?

2) Why doesn't the failure audit log show the IP address from which I attempted to RDP?

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4625</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12544</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2022-11-30T13:23:25.694533100Z" /> 
  <EventRecordID>4007932</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="764" ThreadID="828" /> 
  <Channel>Security</Channel> 
  <Computer>RS</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-0-0</Data> 
  <Data Name="SubjectUserName">-</Data> 
  <Data Name="SubjectDomainName">-</Data> 
  <Data Name="SubjectLogonId">0x0</Data> 
  <Data Name="TargetUserSid">S-1-0-0</Data> 
  <Data Name="TargetUserName">SomeUser</Data> 
  <Data Name="TargetDomainName">PC</Data> 
  <Data Name="Status">0xc000006d</Data> 
  <Data Name="FailureReason">%%2313</Data> 
  <Data Name="SubStatus">0xc000006a</Data> 
  <Data Name="LogonType">3</Data> 
  <Data Name="LogonProcessName">NtLmSsp</Data> 
  <Data Name="AuthenticationPackageName">NTLM</Data> 
  <Data Name="WorkstationName">PC</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x0</Data> 
  <Data Name="ProcessName">-</Data> 
  <Data Name="IpAddress">-</Data> 
  <Data Name="IpPort">-</Data> 
  </EventData>
  </Event>
AnalitikSamara commented 1 year ago

I installed v2.1.5 on Windows Server 2012 R2 and the following message appeared in the "Live" window: 01.12.2022 12:58:58 - [Info]: Event Log OpenSSH/Operational was not found, tasks that require these events will not work and are disabled.

What does it mean? Is this a normal situation or is something wrong?

First message "[Info]: Event Log Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational was not found, tasks that require these events will not work and are disabled.", that appeared in Windows 7, is missing in this case.

Testing has shown that in Windows Server 2012 R2 EvlWatcher blocks access attempts with incorrect username or password, but not in Windows 7 Pro. How to make it work?

devnulli commented 1 year ago

the first warning: it appears that microsoft has the eventlog source RdpCoreTS/Operational not available for that os

its related to #83 , take a look in there.

greetings, Mike