windos 2012 r2 security event log custom insert

1k views Asked by At

Im trying to write logs in windows server 2012 r2 i can write Application log like this,

Write-EventLog -LogName Application -Source "mysource" other parameters goes here 

its working rightly and write this log in windowslog/application

after that im trying like this for secuirty log

Write-EventLog -LogName Security -Source "Microsoft-Windows-Security-Auditing" other parameters goes here 

return me this error

Write-EventLog : The registry key for the log "Security" for source "Microsoft-Windows-Security-Auditing" could not be
opened.
At line:1 char:1
+ Write-EventLog -LogName Security -Source "Microsoft-Windows-Security-Auditing" - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (:) [Write-EventLog], Exception
    + FullyQualifiedErrorId : AccessDenied,Microsoft.PowerShell.Commands.WriteEventLogCommand

after that im search and find a function for write security logs AuthzReportSecurityEvent ı guess ı can write my logs using this function, if ı can do that ı have another question how can i use this function in powershell or python ? I guess can i use this function via pywin32 module ? or can i call directly in powershell script ? can you share me any example how can ı call this function and write log in security log using this function.

I can write log in security when I follow the suggestions of @Strive Sun.

1

There are 1 answers

8
Strive Sun On BEST ANSWER

ı guess ı can write my logs using this function, if ı can do that ı have another question how can i use this function in powershell or python ?

The Security log write access limitation was relaxed somewhat in Windows Server 2003 without changing the fundamental design by the introduction of a special set of APIs (see Figure 2). These APIs use Local Procedure Calls (LPCs) internally to interact with LSA, instructing it to generate audit logs on the application's behalf. The mechanism is elegant and simple.

First, the application registers a security event source handle with LSA by calling AuthzRegisterSecurityEventSource. The only parameter that is of interest for this API is the name of the event source, which can be almost anything, subject to a few restrictions. For instance, it cannot be named "Security" because that name is reserved for system use. The security event source handle returned by this call is used in the following steps.

Next, events are generated by calling one of two closely relat-ed APIs: AuthzReportSecurityEvent or AuthzReportSecurityEventFromParams. Finally, when the application shuts down, it unregisters the security event source handle by calling AuthzUnregisterSecurityEventSource.

Refer: The Security log

can you share me any example how can ı call this function and write log in security log using this function.

Code Sample: (C++)

#include <stdio.h>
#include <iostream>
#include <string>
#include <strsafe.h>
#include <windows.h>
#include <Authz.h>
#include <Ntsecapi.h>


#pragma comment(lib,"Authz.lib")
#pragma comment(lib,"Advapi32.lib")

BOOL SetPrivilege(
    HANDLE hToken,          // access token handle
    LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
    BOOL bEnablePrivilege   // to enable or disable privilege
)
{
    TOKEN_PRIVILEGES tp;
    LUID luid;

    if (!LookupPrivilegeValue(
        NULL,            // lookup privilege on local system
        lpszPrivilege,   // privilege to lookup
        &luid))        // receives LUID of privilege
    {
        printf("LookupPrivilegeValue error: %u\n", GetLastError());
        return FALSE;
    }

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;

    // Enable the privilege or disable all privileges.

    if (!AdjustTokenPrivileges(
        hToken,
        FALSE,
        &tp,
        sizeof(TOKEN_PRIVILEGES),
        (PTOKEN_PRIVILEGES)NULL,
        (PDWORD)NULL))
    {
        printf("AdjustTokenPrivileges error: %u\n", GetLastError());
        return FALSE;
    }

    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)

    {
        printf("The token does not have the specified privilege. \n");
        return FALSE;
    }

    printf("Get the specified privilege! \n");

    return TRUE;
}




int main(int argc, const char* argv[])
{
    // Declare and initialize variables.

    BOOL bResult = TRUE;
    DWORD event_id = 4624;
    AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE hEventProvider = NULL;
    PAUDIT_PARAMS p;
    std::string Source_Name = "Test security audit";
    std::wstring ws;
    std::string pbuf = "What is your purpose ?";
    std::wstring ws_buf;
    int return_code = 0;
    int i = 0;
    // Register the audit provider.
    HANDLE token;
    HANDLE hevent_source;
    ws.assign(Source_Name.begin(), Source_Name.end());
    ws_buf.assign(pbuf.begin(), pbuf.end());

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))
        return FALSE;

    SetPrivilege(token, L"SeAuditPrivilege", true);

    AUTHZ_SOURCE_SCHEMA_REGISTRATION ar;
    memset(&ar, 0, sizeof(ar));
    ar.dwFlags = AUTHZ_ALLOW_MULTIPLE_SOURCE_INSTANCES;
    ar.szEventSourceName = &ws[0];
    ar.szEventMessageFile = &ws_buf[0];
    ar.szEventSourceXmlSchemaFile = NULL;
    ar.szEventAccessStringsFile = &ws_buf[0];
    ar.szExecutableImagePath = NULL;

    AuthzInstallSecurityEventSource(0, &ar);

    bResult = AuthzRegisterSecurityEventSource(0, ws.c_str(), &hEventProvider);
    int err = GetLastError();
    if (!bResult)
    {
        printf("AuthzRegisterSecurityEventSource failed, error is %d\n", err);
        return_code = -1;
    }

    SID id;
    if (hEventProvider)
    {
        // Generate the audit.
        while (i < 10) {
            bResult = AuthzReportSecurityEvent(
                APF_AuditSuccess,
                hEventProvider,
                event_id,
                NULL,
                3,
                APT_String, L"Jay Hamlin",
                APT_String, L"March 21, 1960",
                APT_Ulong, 45);
            int err1 = GetLastError();
            if (!bResult)
            {
                printf("AuthzReportSecurityEvent failed, error is %d\n", err1);
                return_code = -2;
                break;
            }

            i++;
        }

        AuthzUnregisterSecurityEventSource(0, &hEventProvider);
        AuthzUninstallSecurityEventSource(0, &ws[0]);
    }
    std::cout << "Exit  : " << return_code << std::endl;
    getchar();
}

Note: A few things you have to do in the Local Security Policy before running the code sample. Steps can refer: https://stackoverflow.com/a/18242724/11128312

After assigning permissions to the current user, please restart the computer to make it effective.

Updated:

Please go to local policies->Audit Policy. Enable "Audit Object Access" for success and failure.

enter image description here

Then you rebuild and debug again, you will find Security logs appear in Event Viewer.

enter image description here