Ungamisa kanjani Windows 11 ukuthumela izingodo kuseva ye-Syslog noma ye-SIEM

Isibuyekezo sokugcina: 30/06/2025
Author: Isaka
  • Windows 11 ivumela ukudlulisa imicimbi kumaseva e-Syslog noma amapulatifomu e-SIEM kusetshenziswa ama-ejenti noma imisebenzi yomdabu.
  • Kunezinketho eziningi zokucushwa ezinamaleveli ahlukene okuphepha: ukusuka ku-UDP ngaphandle kokubethela kuya ku-TCP nge-TLS kanye nokuqinisekisa okufanayo.
  • Amathuluzi afana ne-Pandora FMS noma i-ManageEngine anikezela ngezindlela ezithuthukisiwe zokuqoqa ukude, ikakhulukazi eziwusizo ezindaweni zebhizinisi.
  • Lapho usetha iqoqo ku Windows, kubalulekile ukucabangela izimvume, izinsizakalo ezinikwe amandla kanye nokuphepha ekudlulisweni kwamarekhodi.

Sawubona

Faka phakathi Windows 11 izingodo zomcimbi kusixazululo se-SIEM noma iseva ye-Syslog isu elibalulekile lokuthuthukisa ezokuphepha kanye nokuphathwa kwengqalasizinda ye-IT. Hlanganisa lezi izingodo kusiza ukuhlaziya izigameko ezisheshayo nezisebenza kahle, ukucwaninga, nokuxilongwa.

Namuhla, kunezindlela namathuluzi ahlukene okufeza lokhu kumisa: kusukela kuzixazululo ze-Windows zomdabu kuye kuma-ejenti angaphandle kanye nezinkundla zokuphatha njenge-Pandora FMS noma i-ManageEngine. Kulesi sihloko, sizohlola wonke amathuba. kusukela kokuyisisekelo kuya ekucushweni okuthuthukile, okufaka phakathi izinketho ezinokubethela nangaphandle kwazo, ama-ejenti amahhala, namathuba okuhlanganiswa namasistimu afana ne-Azure Local.

vula amafayela
I-athikili ehlobene:
Ungayivula kanjani idatha yelogi ye-HEIC Ekhaya 10 windows [ISINYATHELO NGESINYATHELO]

Izinketho eziyisisekelo zokuthumela izingodo zisuka ku-Windows ziye kuseva ye-Syslog

Ngaphambi kokungena ekucushweni okukhethekile, kuyasiza ukwazi izindlela ezilula nezimahhala ukuze udlulisele amalogi e-Windows endaweni ekude.

Ama-ejenti wamahhala ayatholakala

  • I-Snare Epilog: Inguqulo yamahhala ekhawulelwe yomkhiqizo we-InterSect Alliance. Idinga ukucushwa ngesixhumi esibonakalayo sewebhu futhi ayinikezi ukuguquguquka okukhulu.
  • I-CorreLog Windows Agent: Inamandla futhi imahhala ngokubhaliswa. Icutshungulwa ngefayela lombhalo, efakwe njengesevisi, futhi ikuvumela ngisho nokungena ukuvuleka kwezinhlelo zokusebenza ohlelweni.
  • Idathagram SyslogAgent: Enye elula futhi enamandla kakhulu. Ngokusekelwe ku-NTSyslog, ilungiswa nge-Windows registry futhi inikeza ukugcinwa kwesikhashana lapho iseva ekude ingatholakali.

Lezi zixazululo ilungele izindawo zasekhaya noma izingqalasizinda ezincane lapho kungadingeki ukulawula okumaphakathi nokubethelwa kwemiyalezo.

  Ungawafaka kanjani ama-plugin ku-OBS Studio futhi uthole okuningi kuwo nge-Source Switcher

Ukudlulisela phambili Ngena ku-Azure Local nge-PowerShell

Ezindaweni ezilawulwa kakhulu njenge-Azure Stack HCI noma i-Azure Local, iMicrosoft inikeza ama-cmdlets athile lungisa futhi uphathe ukudluliselwa kwelogi usebenzisa i-Syslog protocol.

Ama-cmdlets afakiwe

Kusetshenziswa umyalo Set-AzSSyslogForwarder ukulungisa izilungiselelo zokudlulisela phambili. Imingcele yayo ihlanganisa:

  • -Igama leseva: Ikheli le-IP noma i-FQDN yeseva ye-Syslog.
  • -I-ServerPort: imbobo yokulalela yesiphakeli esikude.
  • -Sebenzisa i-UDP: isebenzisa i-UDP njengephrothokholi yezokuthutha.
  • -Akukho Ukubethela: ivumela ukuthumela imicimbi ngombhalo ongenalutho.
  • -ClientCertificateThumbprint: ukusungula ukuqinisekiswa okufanayo usebenzisa izitifiketi.

Uma sekulungisiwe, ukudlulisela phambili kucushwa nge Enable-AzSSyslogForwarder futhi ingakhutshazwa ukusebenzisa Disable-AzSSyslogForwarder .

Izindlela zokusebenza

Kuye ngezinga lokuphepha elidingekayo, okuhlukile kungasetshenziswa:

  • I-UDP ngaphandle kokubethela: Kulula kakhulu ukusetha, kodwa akukho ukuvikeleka ekulaleleni.
  • I-TCP ngaphandle kokubethela: ithuthukisa ukuthunyelwa komlayezo kodwa namanje ayivikelekile.
  • I-TCP ene-TLS kanye nokuqinisekiswa kweseva: Iklayenti liqinisekisa isitifiketi seseva ngaphambi kokuthumela amalogi.
  • I-TCP ene-TLS kanye nokuqinisekisa okufanayo: Kokubili iklayenti neseva ziqinisekisa ubunikazi bazo zisebenzisa izitifiketi, zinikeza izinga eliphezulu lokuvikeleka.

Ihlola futhi Isusa Izilungiselelo

Ukuze uhlole isimo samanje sokudluliswa kwelogi, sebenzisa Get-AzSSyslogForwarder ngamapharamitha alandelayo ongawakhetha:

  • -Indawo: Ibonisa ukucushwa kosokhaya kwamanje.
  • -I-PerNode: imininingwane yenodi ngayinye.
  • -Iqoqo: Ibonisa izilungiselelo zomhlaba wonke ze-Azure Local.

Uma ufuna ukususa ngokuphelele noma ukusetha kabusha ukucushwa, sebenzisa Set-AzSSyslogForwarder -Remove.

Iqoqo lelogi elikude ezindaweni ze-Windows

Amalogi we-SIEM

Ukuze uthole izimo eziyinkimbinkimbi noma zebhizinisi, iqoqo elikude lingasetshenziswa nge-WMI, amaseshini akude, noma ukuxhumana komdabu nezibukeli zemicimbi ezizindeni ze-Active Directory. PhathaEngine ibhala indlela ethuthukisiwe yokwenza lokhu, ehlanganisa izinyathelo ezibanzi:

Izimvume ezidingekayo

  • Dala i-akhawunti yesevisi esizindeni enezimvume zokufinyelela amalogi.
  • Engeza leyo akhawunti emaqenjini afana nokuthi “Izifundi Zelogi Yomcimbi” kanye “Nabasebenzisi Abasabalalisiwe be-COM.”
  • Nikeza amalungelo okuphatha amalogi okucwaninga usebenzisa izinqubomgomo zendawo noma ama-GPO.
  • Lungiselela ukufinyelela kwe-WMI nezimvume ze-DCOM uma kudingeka.
  Indlela Yokushintsha I-Netflix Thola Indawo Ekhaya windows 10

Izinyathelo zobuchwepheshe

Uma izimvume sezinikiwe:

  1. Nika amandla ukuxhumeka ngokusebenzisa i-firewall.
  2. Nika amandla isevisi Yokuqoqwa Kwemicimbi kuseva eqondiwe.
  3. Lungiselela iphrothokholi ye-WRM emishinini yomthombo.
  4. Dala okubhaliselwe okuvela kusibukeli somcimbi ngokubonisa amadivayisi omthombo, izinhlobo zamalogi, nezihlungi ozifisayo.

Ukuqapha ngePandora FMS

I-Pandora FMS iphinde inikeze ngendlela ephelele kakhulu yokuqoqa izingodo kokubili ku-Windows naku-in Linux, ukuhlanganisa idatha yakho ku-OpenSearch futhi inike amandla ukuhlobana kwe-SIEM.

Iqoqo elivela ku-Windows

  • Ngefomethi yombhalo: kumafayela afana namalogi e-Apache noma amasevisi angokwezifiso.
  • Kusukela kumicimbi yesistimu: chaza izihlungi usebenzisa module_source (Isistimu, Isicelo, Ukuphepha) kanye nemingcele efana module_eventtype, module_eventcode, module_application.

Ukuvuna kusuka ku-Linux

Kusetshenziswa amamojula ahlaziya imizila njenge /var/log/messages o /var/log/secure ukucinga amaphethini. Ungawakhipha amakhodi esimo se-HTTP aphumelele noma useshe usebenzisa izinkulumo ezivamile.

Iseva ye-Syslog ehlanganisiwe

Ivula inketho ku pandora_server.confI-Pandora ingathola izingodo nge-Syslog ngokuqondile isebenzisa imicu yokucubungula eminingi kanye nolayini olungisekayo.