Windows server 共享操作日志设置

邝野

Windows server 共享的文件操作日志默认是没有打开的，需要手动打开，本篇文章将详细说明如何打开。并且如何将这个日志输出到ELK日志系统中。

手动打开操作日志

1、打开你的共享审核功能

举例：我需要监控D盘的文件读取、写入、删除等操作

• 右键D盘属性
  

• 安全  高级  审核  继续
  
  
  
• 添加需要监视的用户跟权限，操作如下
  

2、设置本地安全策略

• 进入本地安全策略
  
  
  
• 如下图找到「审批对象访问」，双击修改属性为成功
  

3、测试是否成功

进入刚刚设置了审核的目录，我这进入D盘，在D盘下创建文件或目录，然后将它删除。操作完后如下查看确认是否有日志存在

• 打开事件查看器
  

• 单击进入安全
  

• 日志太多筛选一下日志，如下图
  

• 刚我将「 D:测试共享盘可删\新建文件夹\2023-02-08 」删除了，可以看一下我的日志信息如下：
  

将日志传到ELK日志系统

假设目前你已经有一套ELK系统了，直接跳过。不会的可以看一下我的历史文章
rpm+二进制包部署ELK
Docker部署ELK

1、安装winlogbeat

• 下载软件
  

我已将我的包上传到云盘了，有需要点我下载

• 解压  将文件夹放至长期不动的固定目录下（只是建议），例如我这放到C:\Program Files 下
  
• 进入文件夹，双击修改winlogbeat.yml文件，需要修改的配置都有用中文注释了如下
  

1. ###################### Winlogbeat Configuration Example ########################
3. # This file is an example configuration file highlighting only the most common
4. # options. The winlogbeat.reference.yml file from the same directory contains
5. # all the supported options with more comments. You can use it as a reference.
6. #
7. # You can find the full configuration reference here:
8. # https://www.elastic.co/guide/en/beats/winlogbeat/index.html
10. # ======================== Winlogbeat specific options =========================
12. # event_logs specifies a list of event logs to monitor as well as any
13. # accompanying options. The YAML data type of event_logs is a list of
14. # dictionaries.
15. #
16. # The supported keys are name (required), tags, fields, fields_under_root,
17. # forwarded, ignore_older, level, event_id, provider, and include_xml. Please
18. # visit the documentation for the complete details of each option.
19. # https://go.es.io/WinlogbeatConfig
21. winlogbeat.event_logs:
22.   - name: Application
23.     ignore_older: 72h
25.   - name: System
27.   - name: Security
28.     processors:
29.       - script:
30.           lang: javascript
31.           id: security
32.           file: ${path.home}/module/security/config/winlogbeat-security.js
34.   - name: Microsoft-Windows-Sysmon/Operational
35.     processors:
36.       - script:
37.           lang: javascript
38.           id: sysmon
39.           file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
41.   - name: Windows PowerShell
42.     event_id: 400, 403, 600, 800
43.     processors:
44.       - script:
45.           lang: javascript
46.           id: powershell
47.           file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
49.   - name: Microsoft-Windows-PowerShell/Operational
50.     event_id: 4103, 4104, 4105, 4106
51.     processors:
52.       - script:
53.           lang: javascript
54.           id: powershell
55.           file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
57.   - name: ForwardedEvents
58.     tags: [forwarded]
59.     processors:
60.       - script:
61.           when.equals.winlog.channel: Security
62.           lang: javascript
63.           id: security
64.           file: ${path.home}/module/security/config/winlogbeat-security.js
65.       - script:
66.           when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
67.           lang: javascript
68.           id: sysmon
69.           file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
70.       - script:
71.           when.equals.winlog.channel: Windows PowerShell
72.           lang: javascript
73.           id: powershell
74.           file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
75.       - script:
76.           when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
77.           lang: javascript
78.           id: powershell
79.           file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
81. # ====================== Elasticsearch template settings =======================
83. setup.template.settings:
84.   index.number_of_shards: 1
85.   #index.codec: best_compression
86.   #_source.enabled: false
87. #  setup.template.enabled: true
88. #  setup.template.overwrite: true
89. #  setup.dashboards.index: "share-*"
90. #  setup.ilm.enabled: false
93. # ================================== General ===================================
95. # The name of the shipper that publishes the network data. It can be used to group
96. # all the transactions sent by a single shipper in the web interface.
97. #name:
99. # The tags of the shipper are included in their own field with each
100. # transaction published.
101. #tags: ["service-X", "web-tier"]
103. # Optional fields that you can specify to add additional information to the
104. # output.
105. #fields:
106. #  env: staging
108. # ================================= Dashboards =================================
109. # These settings control loading the sample dashboards to the Kibana index. Loading
110. # the dashboards is disabled by default and can be enabled either by setting the
111. # options here or by using the `setup` command.
112. #setup.dashboards.enabled: false
114. # The URL from where to download the dashboards archive. By default this URL
115. # has a value which is computed based on the Beat name and version. For released
116. # versions, this URL points to the dashboard archive on the artifacts.elastic.co
117. # website.
118. #setup.dashboards.url:
120. # =================================== Kibana ===================================
122. # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
123. # This requires a Kibana endpoint configuration.
124. setup.kibana:
126.   # Kibana Host
127.   # Scheme and port can be left out and will be set to the default (http and 5601)
128.   # In case you specify and additional path, the scheme is required: http://localhost:5601/path
129.   # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
130.   #host: "localhost:5601"
132.   # Kibana Space ID
133.   # ID of the Kibana Space into which the dashboards should be loaded. By default,
134.   # the Default Space will be used.
135.   #space.id:
137. # =============================== Elastic Cloud ================================
139. # These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).
141. # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
142. # `setup.kibana.host` options.
143. # You can find the `cloud.id` in the Elastic Cloud web UI.
144. #cloud.id:
146. # The cloud.auth setting overwrites the `output.elasticsearch.username` and
147. # `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
148. #cloud.auth:
150. # ================================== Outputs ===================================
152. # Configure what output to use when sending the data collected by the beat.
154. # ---------------------------- Elasticsearch Output ----------------------------
155. output.elasticsearch:
156.   # Array of hosts to connect to.
157.   # 修改为你的es IP地址，如果你是es集群的话拿都需要加进来。例如我ES集群中有三台那么便都添加了。
158.    hosts: ["10.11.48.159:9200","10.12.48.161:9200","10.13.48.160:9200"]
159.    # 修改存入的ES索引名称，默认索引名称是 winlogbeat开头的，可能你有多个winlogbeat那么名称会冲突，建议修改。
160.    index: "share-%{+yyyy.MM.dd}"
161.   # Protocol - either `http` (default) or `https`.
162.   #protocol: "https"
164.   # Authentication credentials - either API key or username/password.
165.   #api_key: "id:api_key"
166.   #username: "elastic"
167.   #password: "changeme"
169. # ------------------------------ Logstash Output -------------------------------
170. #output.logstash:
171.   # The Logstash hosts
172.   #hosts: ["localhost:5044"]
174.   # Optional SSL. By default is off.
175.   # List of root certificates for HTTPS server verifications
176.   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
178.   # Certificate for SSL client authentication
179.   #ssl.certificate: "/etc/pki/client/cert.pem"
181.   # Client Certificate Key
182.   #ssl.key: "/etc/pki/client/cert.key"
184. # ================================= Processors =================================
185. processors:
186.   - add_host_metadata:
187.       when.not.contains.tags: forwarded
188.   - add_cloud_metadata: ~
190. # ================================== Logging ===================================
192. # Sets log level. The default log level is info.
193. # Available log levels are: error, warning, info, debug
194. #logging.level: debug
196. # At debug level, you can selectively enable logging only for some components.
197. # To enable all selectors use ["*"]. Examples of other selectors are "beat",
198. # "publisher", "service".
199. #logging.selectors: ["*"]
201. # ============================= X-Pack Monitoring ==============================
202. # Winlogbeat can export internal metrics to a central Elasticsearch monitoring
203. # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
204. # reporting is disabled by default.
206. # Set to true to enable the monitoring reporter.
207. #monitoring.enabled: false
209. # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
210. # Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
211. # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
212. #monitoring.cluster_uuid:
214. # Uncomment to send the metrics to Elasticsearch. Most settings from the
215. # Elasticsearch output are accepted here as well.
216. # Note that the settings should point to your Elasticsearch *monitoring* cluster.
217. # Any setting that is not set is automatically inherited from the Elasticsearch
218. # output configuration, so if you have the Elasticsearch output configured such
219. # that it is pointing to your Elasticsearch monitoring cluster, you can simply
220. # uncomment the following line.
221. #monitoring.elasticsearch:
223. # ============================== Instrumentation ===============================
225. # Instrumentation support for the winlogbeat.
226. #instrumentation:
227.     # Set to true to enable instrumentation of winlogbeat.
228.     #enabled: false
230.     # Environment in which winlogbeat is running on (eg: staging, production, etc.)
231.     #environment: ""
233.     # APM Server hosts to report instrumentation results to.
234.     #hosts:
235.     #  - http://localhost:8200
237.     # API Key for the APM Server(s).
238.     # If api_key is set then secret_token will be ignored.
239.     #api_key:
241.     # Secret token for the APM Server(s).
242.     #secret_token:
245. # ================================= Migration ==================================
247. # This allows to enable 6.7 migration aliases
248. #migration.6_to_7.enabled: true
249. # 如果你修改了索引名称则以下配置也需要增加，不然无法生效。这里的share命名需与上面的index命名前缀一致。
250. setup.template.enabled: true
251. setup.template.overwrite: true
252. setup.template.name: "share"      
253. setup.template.pattern: "share-*"
254. setup.ilm.enabled: false

复制代码

• 检查配置
  

1. # 进入目录
2. cd "C:\Program Files\winlogbeat-7.13.0-windows-x86_64"
3. .\winlogbeat.exe test config -c .\winlogbeat.yml -e

复制代码

检查期间如果提示为OK，说明配置文件没问题

• 输入一下命令启动
  

1. # 进入目录
2. cd "C:\Program Files\winlogbeat-7.13.0-windows-x86_64"
3. # 执行下面命令后，需要输入Y，回车。启用执行不信任的脚本功能
4. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
5. # 将winlogbeat注册成系统服务
6. .\install-service-winlogbeat.ps1
7. # 启动
8. Start-Service winlogbeat

复制代码

• 检查确认
  

需要确认两个地方分别是：

• 在Windows winlogbeat 是否启动
  
  

• kibana是否存在了刚才创建的索引
  
  

• 测试
  

删除或者创建文件，然后在kibana中搜索。搜索删除语法event.code:"4663" and message : DELETE

PS：kibana的使用自行探索，在此不做介绍了哦
参考链接

https://blog.csdn.net/yk20091201/article/details/90756738
https://www.cnblogs.com/lhxsoft/p/15994432.html
https://blog.csdn.net/weixin_43719616/article/details/114790067
https://iminto.github.io/post/filebeat%E4%BF%AE%E6%94%B9index%E7%9A%84%E4%B8%80%E4%B8%AA%E5%9D%91/
https://blog.51cto.com/studyit2016/2084858
https://www.doit.com.cn/p/137278.html

来源:https://www.cnblogs.com/98record/p/windows-server-gong-xiang-cao-zuo-ri-zhi.html
免责声明：由于采集信息均来自互联网，如果侵犯了您的权益，请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容，谢谢合作！