Im trying to parse the event log with convertfrom-string but unable to get the result. the event and code is below.
$string=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: SQLSVC Supplied Realm Name: PAD User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$temp=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: SQLSVC} Supplied Realm Name: {Domain:PAD} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$string |ConvertFrom-String -TemplateContent $temp
expected output is :
Eventid Type ServerName ..etc
4768 Audit Success PAD.Local
You can give multiple example to your patern for a better analyse :
$string=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,4768,Microsoft-Windows-Security-Auditing,,Audit Success,PAD.Local,Kerberos Authentication Service,,A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: SQLSVC Supplied Realm Name: PAD User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$temp=#'
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:4768},Microsoft-Windows-Security-Auditing,,{Type:Audit Success},{ServerName:PAD.Local},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: SQLSVC} Supplied Realm Name: {Domain:PAD} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
%NICWIN-4-Security_4768_Microsoft-Windows-Security-Auditing: Security,rn=54761543 cid=8228 eid=728,Mon Nov 30 15:59:32 2020,{EventID*:1},Microsoft-Windows-Security-Auditing,,{Type:Audit Success 2},{ServerName:XXXXX},Kerberos Authentication Service,,{Ticket:A Kerberos authentication ticket (TGT) was requested.} Account Information: {ACName:Account Name: dddddd} Supplied Realm Name: {Domain:XXXXXX} User ID: S-1-5-21-3919716692-2946903121-3479928240-1751 Service Information: Service Name: krbtgt Service ID: S-1-5-21-3919716692-2946903152-3479928250-502 Network Information: Client Address: ::ffff:192.168.1.5 Client Port: 56168 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
'#
$string |ConvertFrom-String -TemplateContent $temp
Related
I have Cloud Gateway API that connect to Cloud Function.
It worked great with an API key that I generated, but then when I restricted the key to enable access for my specific domain only - example.com, I started to get CORS errors on the client. ( it did worked without domain restriction)
So I enabled CORS in the config file in the Console, the file had no errors, but I still get a CORS error when accessing the API URL from my domain with the key:
https://project-xxxx.uc.gateway.dev/search?key=AIxxxxxxxxx
Config :
swagger: "2.0"
info:
title: projectapi
description: "data api"
version: "1.0.0"
schemes:
- "https"
host: "project-xxxxxxxx.apigateway.xxxxx-xxxxx.cloud.goog"
x-google-endpoints:
- name: "project-xxxxxxxx.apigateway.xxxxx-xxxxx.cloud.goog"
allowCors: True
paths:
"/search":
get:
description: "data"
operationId: "project"
x-google-backend:
address: https://us-central1-projectName.cloudfunctions.net/search
security:
- api_key: [key]
responses:
200:
description: "Success."
schema:
type: string
400:
description: "Invalid"
securityDefinitions:
api_key:
type: "apiKey"
name: "key"
in: "query"
My Cloud Function do allow CORS, and works great if called directly with the link here in the address key.
Why this config wont allow cors for the Gateway ?
Solved !
You must enable the key not only for your domain name, but also for your specific API name from the list, go to APIs & Services => Credentials => API keys => your key => API restrictions => choose your API name from the list !
This allow access to a Function from a specific domain - without using a Balancer.
I'm trying to setup Google API Gateway to use an API key that callers send in the header.
My api config yaml looks like this:
...
securityDefinitions:
api_key_header:
type: apiKey
name: key
in: header
api_key_query:
type: apiKey
name: key
in: query
paths:
/foo-header:
get:
summary: Test foo endpoint
operationId: testGet-header
x-google-backend:
address: "<backend address>"
protocol: h2
path_translation: APPEND_PATH_TO_ADDRESS
security:
- api_key_header: []
responses:
204:
description: A successful response
/foo-query:
get:
summary: Test foo endpoint
operationId: testGet-header
x-google-backend:
address: "<backend address>"
protocol: h2
path_translation: APPEND_PATH_TO_ADDRESS
security:
- api_key_query: []
responses:
204:
description: A successful response
I expect both calls, /foo-header and /foo-query to fail with 401 status if a valid API key is not provided via header or query parameter.
But in a fact only /foo-query behaves as expected.
Requests to /foo-header pass to the backend even when the API key is not provided in request header.
Do I have issue with the config, or is it the Google API Gateway that doesn't work properly when API key is provided in request header?
When in is header, the name should be x-api-key.
https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#api_key_definition_limitations
It seems that the Google API Gateway should work fine when the API key is provided in request header since the Google API Gateway documentation states:
A developer generates an API key in a project in the Cloud Console and embeds that key in every call to your API as a query parameter or in a request header.
However, I was able to reproduce the behavior you reported, thus I don't think that there is something wrong in your configuration.
For that I'd been following the GCP quickstart for the Google API Gateway, modifying it slightly so that my OpenAPI spec would also have 2 paths: one is looking for a key in query parameters, while another in the request header.
paths:
/foo-header:
get:
summary: Test security
operationId: headerkey
x-google-backend:
address: [MY_CLOUD_FUNCTION_1]
security:
- api_key_header: []
responses:
'200':
description: A successful response
schema:
type: string
/foo-query:
get:
summary: Test security
operationId: querykey
x-google-backend:
address: [MY_CLOUD_FUNCTION_2]
security:
- api_key_query: []
responses:
'200':
description: A successful response
schema:
type: string
securityDefinitions:
# This section configures basic authentication with an API key.
api_key_header:
type: "apiKey"
name: "key"
in: "header"
api_key_query:
type: "apiKey"
name: "key"
in: "query"
Just like you, I could see the requests to the /foo-header pass to the backend even when there was no API key provided.
I would suggest you to report this issue on the Public Issue Tracker, so that it would be reviewed by an appropriate GCP engineering team.
I have been reviewing Google Cloud Extensible Service Proxy, which promises to be a serverless NGINX instance, however I am unsure on how to proxy to multiple services running in app engine through it, and essentially use it as a gateway. It seems to demand a host in the swagger JSON configuration and an environment variable that points to the endpoint service name, and I don't see how it could proxy to multiple services given this constraint.
My understanding is that you could host the Endpoints ESP using Cloud Run. This would then give you a single URL from which to access it but would spin up enough instances of the ESP if needed. The Open API specification document you would then register with it would contain paths corresponding to each instance of a service you want to expose. For each path, you would then define an x-google-backend pointing to the service URL that each path would resolve against.
EDIT:
the yaml file will look somehow like this:
info:
title: Cloud Endpoints with API Keys
description: Sample API on Cloud Endpoints with multiple App Engine with IAP backend
version: 1.0.0
host: <ENDPOINT_URL>
schemes:
- https
produces:
- application/json
paths:
/hello-gae1:
get:
summary: Greet a user from App Engine
operationId: hello_gae
x-google-backend:
address: https://<PROJECT_ID>.appspot.com
parameters:
- in: query
name: name
required: false
type: string
responses:
'200':
description: A successful response
schema:
type: string
/hello-gae2:
get:
summary: Greet a user from App Engine
operationId: hello_gae
x-google-backend:
address: https://<SERVICE-dot-PROJECT_ID>.appspot.com
parameters:
- in: query
name: name
required: false
type: string
responses:
'200':
description: A successful response
schema:
type: string
/hello-gae3:
get:
summary: Greet a user from App Engine
operationId: hello_gae
x-google-backend:
address: https://<SERVICE-dot-PROJECT_ID>.appspot.com
parameters:
- in: query
name: name
required: false
type: string
responses:
'200':
description: A successful response
schema:
type: string
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
References:
Getting Started with Endpoints for Cloud Run
I've got a huge log file from our VPN appliance and I'd like to cut this down to simply the Domain\Username. There is some variation of text after Domain\Username but it all begins with the date (varies), time (varies), - Access-DC - (consistent), and a bracketed IP address (brackets remain but IP varies). The username length also varies. Any help is appreciated.
Yeah, I'm pretty new to RegEx... I'm using Notepad++ to cut it down. Would like the text to appear as Domain\username at the end. I have tried several expressions to trim it down, but was only partially successful and since the text after Domain\Username varies it left many lines.
Ex. .*(?<=Username:) and (?>,).*
Sample Data:
2017-06-29 07:27:13 - Access-DC - [10.10.25.294] Domain\username(Basic Domain Access)[Basic Employee Access] - Web SSO: Authentication successful. Credential Used: Username: username, Error: (0) Initial, Realm: Domain.COM, Auth Type: (32) Kerberos, Cred Type: (0) System Credential, Target: server.Domain.com, Password: XXXXXX, Has Ticket: 1, Policy Auth: (32) Kerberos, Cred Label: Default, Server Realm: Domain.COM,
2017-06-29 07:27:13 - Access-DC - [10.5.27.236] Domain\username(Basic Domain Access)[Basic Employee Access] - Web SSO: Authentication successful. Credential Used: Username: username, Error: (0) Initial, Realm: Domain.COM, Auth Type: (32) Kerberos, Cred Type: (0) System Credential, Target: server.Domain.com, Password: XXXXXX, Has Ticket: 1, Policy Auth: (32) Kerberos, Cred Label: Default, Server Realm: Domain.COM,
2017-06-29 07:27:13 - Access-DC - [10.5.27.236] Domain\username(Basic Domain Access)[Basic Employee Access] - Web SSO: Authentication successful. Credential Used: Username: username, Error: (0) Initial, Realm: Domain.COM, Auth Type: (32) Kerberos, Cred Type: (0) System Credential, Target: server.Domain.com, Password: XXXXXX, Has Ticket: 1, Policy Auth: (32) Kerberos, Cred Label: Default, Server Realm: Domain.COM,
Desired Output:
Domain\username
Domain\username
Domain\username
Targeting the substring between ] and (, this will get you there:
Pattern: ^[^]]+] ([^(]+).*
Replace With: $1
Pattern Demo
My configuration.yml looks like this
default:
configuration
email_delivery:
delivery_method: :smtp
smtp_settings:
address: "mail.example.com"
port: 25
domain: "example.com"
authentication: :login
user_name: "redmine#example.com"
password: "xxxxxxxx"
I am getting the message An error occurred while sending mail (530 5.7.0 Authentication required ) while treying to send a test mail.
I have tried out different options with starttls, removing.adding quotes. It does not work. The configuration details work fine with Thunderbird. Somehow it does not work here.
Please note my redmine setup is on AWS and my mail server is on another shared hosting. Does it has anything to do with the security groups?
Please guide me fix the issue. Thanks in adavance.
You need to change default to production or development, and configuration line is too much so your config would look like this:
production:
email_delivery:
delivery_method: :smtp
smtp_settings:
address: "mail.example.com"
port: 25
domain: "example.com"
authentication: :login
user_name: "redmine#example.com"
password: "xxxxxxxx"