- Created by Vladimir Stanković on 21 04, 2016
NetVizura is capable of detecting end user activity in the company network. Mapping user's actual username with IP addresses allows to keeping logon events tracks of end users. Logon events could be generated by Domain Controllers or Work Stations relayed via Syslog to NetVizura server. We use Windows Domain Controller in our example.
Example of correct match string
* MSWinEventLog * 4624 Microsoft-Windows-Security-Auditing * Success Audit * Logon Type: 3 * Account Name: <USERNAME> * Account Domain: <DOMAIN> * Source Network Address: <USER-IP> *
Step 1. Select appropriate message (logon event):
Navigate to Netvizura Eventlog module and choose Syslog tab. Identify syslog message with logon information. This log should contain:
IP address of domain controller that exports Syslogs - type IP address into Exporter text box and press Enter
- Windows code 4624 that designates successful logon event - type 4624 into Message filter text box and press Enter
- Select, copy and paste text message in some text editor (Wordpad or similar)
- Create appropriate Match string in text editor
Match String
Steps for creating correct match string :
- Find Account Name within the message and put <USERNAME> instead of real account name (please refer to picture below)
- Find Account Domain within the message and put <DOMAIN> instead of real account domain (please refer to picture below)
- Find Source Network Address within the message and put <USER-IP> instead of real IP address (please refer to picture below). No need for this step in case of Work Station type of rule.
- Find additional information that can help in matching message more precisely like: MSWinEventLog, 4624 Microsoft-Windows-Security-Auditing, Success Audit, Logon Type: 3
- IMPORTANT: Delete any other text and put * as a wildcard instead of deleted text (refer to Example of correct match string)
Step 2. Setup rule:
In upper right corner of Netvizura application navigate to cogwheel > Settings > NetFlow Settings > End Users:
- Click on + Add button
- Enter your own Rule Name and Description
- Set Rule type (in this example set Domain Controller)
- Set Rule status (in this example set Active)
- Enter Source IP (IP address of Domain Controller)
- Copy and paste Match string from text editor into the Match string area
- Click on Verify match button
- Click on Save button to save your rule (if verification is successful)
To check results of your work, navigate to NetFlow > End Users. If the three is empty, refresh your web browser with ctrl+F5.
In order to improve user mapping and system performance, we recommend to set status as inactive for all rules that are not in use.
Specifying too broad subnet in the Source IP field might result in performance penalty. For best results consider changing Source IP to more specific value or concrete IP address.
Use help button: Move your cursor under the question mark on the screen for additional help.
You can easily verify the rule by clicking Verify button. Your rule will be automatically applied to check if any Syslog message received during the last 24 hours matches the rule.
- No labels