windos 2012 r2 security event log custom insert
Im trying to write logs in windows server 2012 r2 i can write Application log like this,
Write-EventLog -LogName Application -Source "mysource" other parameters goes here
its working rightly and write this log in windowslog/application
after that im trying like this for secuirty log
Write-EventLog -LogName Security -Source "Microsoft-Windows-Security-Auditing" other parameters goes here
return me this error
Write-EventLog : The registry key for the log "Security" for source "Microsoft-Windows-Security-Auditing" could not be
opened.
At line:1 char:1
+ Write-EventLog -LogName Security -Source "Microsoft-Windows-Security-Auditing" - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Write-EventLog], Exception
+ FullyQualifiedErrorId : AccessDenied,Microsoft.PowerShell.Commands.WriteEventLogCommand
after that im search and find a function for write security logs AuthzReportSecurityEvent ı guess ı can write my logs using this function, if ı can do that ı have another question how can i use this function in powershell or python ? I guess can i use this function via pywin32 module ? or can i call directly in powershell script ? can you share me any example how can ı call this function and write log in security log using this function.
I can write log in security when I follow the suggestions of @Strive Sun.
ı guess ı can write my logs using this function, if ı can do that ı have another question how can i use this function in powershell or python ?
The Security log write access limitation was relaxed somewhat in Windows Server 2003 without changing the fundamental design by the introduction of a special set of APIs (see Figure 2). These APIs use Local Procedure Calls (LPCs) internally to interact with LSA, instructing it to generate audit logs on the application's behalf. The mechanism is elegant and simple.
First, the application registers a security event source handle with LSA by calling AuthzRegisterSecurityEventSource. The only parameter that is of interest for this API is the name of the event source, which can be almost anything, subject to a few restrictions. For instance, it cannot be named "Security" because that name is reserved for system use. The security event source handle returned by this call is used in the following steps.
Next, events are generated by calling one of two closely relat-ed APIs: AuthzReportSecurityEvent or AuthzReportSecurityEventFromParams. Finally, when the application shuts down, it unregisters the security event source handle by calling AuthzUnregisterSecurityEventSource.
Refer: The Security log
can you share me any example how can ı call this function and write log in security log using this function.
Code Sample: (C++)
#include <stdio.h>
#include <iostream>
#include <string>
#include <strsafe.h>
#include <windows.h>
#include <Authz.h>
#include <Ntsecapi.h>
#pragma comment(lib,"Authz.lib")
#pragma comment(lib,"Advapi32.lib")
BOOL SetPrivilege(
HANDLE hToken, // access token handle
LPCTSTR lpszPrivilege, // name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
)
{
TOKEN_PRIVILEGES tp;
LUID luid;
if (!LookupPrivilegeValue(
NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
printf("LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
printf("AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
printf("The token does not have the specified privilege. \n");
return FALSE;
}
printf("Get the specified privilege! \n");
return TRUE;
}
int main(int argc, const char* argv[])
{
// Declare and initialize variables.
BOOL bResult = TRUE;
DWORD event_id = 4624;
AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider = NULL;
PAUDIT_PARAMS p;
std::string Source_Name = "Test security audit";
std::wstring ws;
std::string pbuf = "What is your purpose ?";
std::wstring ws_buf;
int return_code = 0;
int i = 0;
// Register the audit provider.
HANDLE token;
HANDLE hevent_source;
ws.assign(Source_Name.begin(), Source_Name.end());
ws_buf.assign(pbuf.begin(), pbuf.end());
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
return FALSE;
SetPrivilege(token, L"SeAuditPrivilege", true);
AUTHZ_SOURCE_SCHEMA_REGISTRATION ar;
memset(&ar, 0, sizeof(ar));
ar.dwFlags = AUTHZ_ALLOW_MULTIPLE_SOURCE_INSTANCES;
ar.szEventSourceName = &ws[0];
ar.szEventMessageFile = &ws_buf[0];
ar.szEventSourceXmlSchemaFile = NULL;
ar.szEventAccessStringsFile = &ws_buf[0];
ar.szExecutableImagePath = NULL;
AuthzInstallSecurityEventSource(0, &ar);
bResult = AuthzRegisterSecurityEventSource(0, ws.c_str(), &hEventProvider);
int err = GetLastError();
if (!bResult)
{
printf("AuthzRegisterSecurityEventSource failed, error is %d\n", err);
return_code = -1;
}
SID id;
if (hEventProvider)
{
// Generate the audit.
while (i < 10) {
bResult = AuthzReportSecurityEvent(
APF_AuditSuccess,
hEventProvider,
event_id,
NULL,
3,
APT_String, L"Jay Hamlin",
APT_String, L"March 21, 1960",
APT_Ulong, 45);
int err1 = GetLastError();
if (!bResult)
{
printf("AuthzReportSecurityEvent failed, error is %d\n", err1);
return_code = -2;
break;
}
i++;
}
AuthzUnregisterSecurityEventSource(0, &hEventProvider);
AuthzUninstallSecurityEventSource(0, &ws[0]);
}
std::cout << "Exit : " << return_code << std::endl;
getchar();
}
Note: A few things you have to do in the Local Security Policy before running the code sample. Steps can refer: https://stackoverflow.com/a/18242724/11128312
After assigning permissions to the current user, please restart the computer to make it effective.
Updated:
Please go to local policies->Audit Policy. Enable "Audit Object Access" for success and failure.
Then you rebuild and debug again, you will find Security logs appear in Event Viewer.
- Get the errorbars to bins of a dataset by using bootstrapping
- How to tune PID controller on non-linear model (here: diving of a body)
- django import error - No module named core.management
- Changing tense of text from present/future to past tense
- Discord.py modal form command has no response despite no errors in console
- AttributeError: module 'pyperclip' has no attribute 'waitForPaste'
- Array lists of HTML elements in order by website in selenium / beautiful soup
- Recursive types in Python and difficulties inferring the type of `type(x)(...)`
- `AttributeError` constructing `torchvision.io.VideoReader` in Google Colab
- How to use python selenium to click this element with text bb1
- Base 62 conversion
- How do I get the object if it exists, or None if it does not exist in Django?
- Sampling n= 2000 from a Dask Dataframe of len 18000 generates error Cannot take a larger sample than population when 'replace=False'
- Set same scale in legend matplotlib
- Replicate virtualenv without downloading all the packages again on the same machine
- Tkinter entry widget input are written backwards
- Pydantic v2 vs requests POST JSON - 'not serializable' nightmares
- Unexpected generator behaviour when not assigned to a variable
- How to change the cursor in Pygame to a custom image
- Azure functions in Python - "Duplex option is required" error
- model not showing up in django admin
- How can I see the entire HTTP request that's being sent by my Python application?
- Appending to a list by adding to the previous value in Python
- Layer 'conv2d_11' expected 2 variables, but received 0 variables during loading. Expected: ['conv2d_11/kernel:0', 'conv2d_11/bias:0']
- The Python dbus package is not installed
- How to determine pid of process started via os.system
- Can I store a Parquet file with a dictionary column having mixed types in their values?
- I cannot import monsoon after installing Monsoon
- PyCharm: Why "Python Console" is not accessing ~\.aws\credentials file? How to set it within "Python Console"
- Unexpected Behavior of pd.Grouper with datetime Key and freq Argument