- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Im getting the event logs from a vPro processor from a Java Application, inside an array of bytes, with this:
EventRecordBytes = WsmanUtils.getBase64Bytes(eventRecords[index].toString());
I can get many data, such as audit evt id, etc, for example:
// combine the AuditAppID and EventID bytes to get auditEventEnum
auditEventEnum = EventRecordBytes[1] * 1000;
auditEventEnum += EventRecordBytes[3];
Do you know an easy way to get the user that try to perform a KVM session?
Tks
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What AMT version are you working with? You should be able to get the user name for any event that recorded via the audit log:
One of the following structures appears in each audit log record.
HTTPDigestInitiatorType
HTTP Digest user details
typedef _HTTPDigestInitiatorType
{
uint8 Username_length;
uint8 Username[];
} HTTPDigestInitiatorType;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gael.
Im working with all versions... its a large machines park. Since 4....
Almost is 7
Do you have some code explaining the conversion that I must perform?
Tks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to take a look at the Open Developer's Toolkit. Ylian has added a wsman javascript stack. You can download the source code and see if you can get an idea of how to use it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, Ill check it and post here as soon as I find the asnwer.
Thank you very much
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gael.
What I have from Open Dev Toolkit does not help a lot, because it have not implemented what I want to do, that is get the username or SID from events, mainly, I want to get the user that perform (or try to) a KVM session.
So far, what I get is:
when we get a event type kerberosSIDInitiatorType when reading audit log, we get this event for example:
ABIACAHYHwAAGAEFAAAAAAAFFQAAANhiakHgFYYr/SiaT1HVkGIADTEwLjUwLjEyNS4xMDAA
converting to an byte array we get:
[0, 18, 0, 8, 1, -40, 31, 0, 0, 24, 1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, -40, 98, 106, 65, -32, 21, -122, -43, -3, 40, 102, 78, 81, -43, -112, 98, 0, 13, 49, 48, 46, 53, 48, 46, 49, 50, 53, 46, 49, 48, 48, 0]
In the atached image you can see in details what is each information.
The doubt is how to convert the iten 4 (InitiatorData), that have the user SID, Domain size and Domain)?
the other information can be extracted normally. We are using Java.
For more information:
typedef _KerberosSIDInitiatorType
{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;
Field Description
UserInDomain - SID number of the user
Domain_length - Length of domain ( up to 255)
Domain - Kerberos domain ( up to 255 bytes long)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We solve the problem here. Follow the solution, feel fre to contact me if you have doubts:
If Initiator Type == 1, so, we have the user from AD SID, using this SID we can retrieve all user info from AD.
We are using the Intel® WS-Management Java Client Library here as the base for development.
Take a look in the picture from the post above. We will have to use this information:
typedef _KerberosSIDInitiatorType
{
uint32 UserInDomain;
uint8 Domain_length;
uint8 Domain[];
} KerberosSIDInitiatorType;
The SID is the composition from Domain[] + UserInDomain
In Java, we need some Libraries to get the user from AD. You can see the part of our code here:
byte bytesUser[] = HandleBytesUtil.getDataArrayByEventRecordBytes(5, 4, EventRecordBytes);
int domainLength = EventRecordBytes[9];
byte kerberosDomainBytes[] = HandleBytesUtil.getDataArrayByEventRecordBytes(10,domainLength, EventRecordBytes);
timestampOffset = domainLength + 10;
usuarioEvent = HandleBytesUtil.getUserKerberos(bytesUser, kerberosDomainBytes);
Here is the class that manipulates SID related data:
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Calendar;
import br.com.infoserver.collector.LogCreator;
import com.sun.jna.platform.win32.Advapi32Util;
import com.sun.jna.platform.win32.WinNT;
import com.sun.jna.platform.win32.Advapi32Util.Account;
import com.sun.jna.platform.win32.WinNT.PSID;
public class HandleBytesUtil {
/**
* @param idx index
* @param length length of bytes the data
* @param eventRecordBytes byteArray with all informations
* @return the bytes that represent the data
*/
public static byte[] getDataArrayByEventRecordBytes(int idx,int length,byte eventRecordBytes[]){
byte byteArray[] = new byte[length];
for(int i = 0;i < byteArray.length; i++) {
byteArray = eventRecordBytes[idx++];
}
return byteArray;
}
/**
* Combine both arrays of bytes to get SID of User
* @param bytesUser
* @param kerberosDomainBytes
* @return domain\\user
*/
public static String getUserKerberos(byte[] bytesUser, byte[] kerberosDomainBytes) {
//combine the bytes of the user with bytes of the domainKerberos to convert to SID
//using con.sun.jna.*
byte domainUserBytes[] = new byte[kerberosDomainBytes.length + bytesUser.length];
domainUserBytes = Arrays.copyOf(kerberosDomainBytes, domainUserBytes.length);
int i = kerberosDomainBytes.length;
for(byte b : bytesUser){
domainUserBytes= b;
i++;
}
try{
PSID sid = new WinNT.PSID(domainUserBytes);
Account ac = Advapi32Util.getAccountBySid(sid);
return ac.fqn;
}catch (Exception e) {
LogCreator.doWriteTxt("Erro obtendo SID do usuario");
}
return "NA";
}
/**
* convert the timestamp bytes to calendar in UTC
* @param byteArray of 4 positions 32 bits
* @return Calendar
*/
public static Calendar getTimestampToCalendar(byte[] byteArrayTime){
// convert the timestamp bytes to timeInUTC
ByteBuffer timeBuffer = ByteBuffer.wrap(byteArrayTime);
timeBuffer = ByteBuffer.allocate(byteArrayTime.length);
Calendar calendar = Calendar.getInstance();
for(int i = 0; i < byteArrayTime.length ;i++){
timeBuffer.put(i,byteArrayTime);
}
long timeInUTC = timeBuffer.getInt();
// convert timeInUTC to Java dateTime format. Note that
// Audit log return time in UTC time. You may want to
// convert to local time
// multiply by 1000 ... the time returned is second
calendar.setTimeInMillis((timeInUTC) * 1000);
return calendar;
}
}
Hope that this will be usefull for someone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for providing your solution. This would make a great blog. Would you consider blogging this on IDZ? I could blog it, but I'd rather you got the credit for it.
--Gael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Gael.
I'm writing a post and will send as soon as I finish. :-)
Tks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just send the post. Waiting to be published:
http://software.intel.com/en-us/blogs/2013/07/25/get-username-from-amt-audit-logs-using-java
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Juliano! Your blog has been published and will be tweeted via @intelswblog as well as my twitter account.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page