问题描述
我试图在具有WEF / WEC的环境中使用OSQuery,我试图做的是收集所有通过订阅存储在WEC服务器中的Windows事件。
我的问题是,当我通过OSQuery收集Windows事件时,似乎无法获取包含实际生成事件的主机名的“计算机”字段。
有人设法做到这一点吗?还是OSquery的实际限制?在查看windows_events表架构(https://osquery.io/schema/4.5.1/#windows_events)时,似乎没有考虑到“计算机”字段。
作为示例,我在名为DESKTOP-JC2OUUQ的主机中配置了WEC,并在那里订阅了名为DESKTOP-BEH0A7O的便携式计算机。事件日志正正确地流向WEC,我可以接收它们。以下是我收到的事件之一:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="en-US">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">16384</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-22T16:20:17.2647971Z" />
<EventRecordID>907</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>DESKTOP-BEH0A7O</Computer>
<Security />
</System>
<EventData>
<Data>2020-12-18T12:30:17Z</Data>
<Data>RulesEngine</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>Successfully scheduled Software Protection service for re-start at 2020-12-18T12:30:17Z. Reason: RulesEngine.</Message>
<Level>Information</Level>
<Task />
<Opcode />
<Channel />
<Provider>Microsoft-Windows-Security-SPP</Provider>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>
当我尝试使用OSQuery收集此事件时,得到以下输出:
{
"name": "windows_events_query","hostIdentifier": "DESKTOP-JC2OUUQ","calendarTime": "Thu Oct 22 16:26:14 2020 UTC","unixTime": 1603383974,"epoch": 0,"counter": 0,"numerics": false,"decorations": {
"host_uuid": "A7A0828C-1264-4E24-A67F-F5B69BE86165","username": "vagrant"
},"columns": {
"data": "{\"EventData\":[\"2020-12-18T12:30:17Z\",\"RulesEngine\"]}","datetime": "2020-10-22T16:20:17.2647971Z","eventid": "16384","keywords": "0x80000000000000","level": "4","provider_guid": "{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","provider_name": "Microsoft-Windows-Security-SPP","source": "Application","task": "0","time": "1603383958"
},"action": "added"
}
如您所见,在其他字段中,我没有看到“计算机”标签,据我所知,它是唯一包含生成事件的实际主机的标签。 有什么方法可以通过OSQuery获得该值吗?还是有限制?
谢谢!
解决方法
Osquery 不支持 Computer 字段。现在可以了:
依赖报错 idea导入项目后依赖报错,解决方案:https://blog....
错误1:gradle项目控制台输出为乱码 # 解决方案:https://bl...