Last Update 2018.02.07
WHORUEvent – Collect Windows log
When use whoruevent,
You can take email when connect remote desktop by your account ASAP
If you didn’t connect to server, just click then block connect IP automatically.
code sign on “Open Source Developer, JuSeong Han”
YOU LIKE IT, CLICK LIKE BUTTON 🙂
2018.02.07 – Fail event collect fix, Add option string exception
2018.01.02 – network event log collect fix
2017.04.19 – performance update(multithread update)
2016.12.05 – when not send email, increase syslog level
whoru.ini [General] Syslog_IP=172.16.253.20 SMTP_IP=10.0.0.5 File=false whoru.ini Syslog=true Email=true Domain=<Doamin> AdminEmail=<Email> [Eventlog] System=true Application=true Login=true NetworkLogon=false Block=false
Most of the information that goes to the server security, blocking WMI, PowerShell, etc. that can be executed on the remote, and work to minimize the network points that can connect to the server.
However, for remote desktop no choice but to open as required for the operation of the server.
Here’s server developers, including personnel need to be able to access personnel only improve security, but developers and operations personnel of the PC are also not safe. Therefore, monitoring of remote desktop that can connect to the server from a remote is needed.
If I thought that the user access to more effective monitoring methods determine whether the right to directly access and would not clear resolution.
The following is a remote login alarm / protection provided by the WHORUEvent.
When connecting remotely, that there was a remote connection to the domain address of a connected account, it is telling the mail. At the same time, create a valid instance of the web server 30 minutes Press on a link within an e-mail, IP will attempt to connect directly blocked on the server and will notify the security administrators group.
WHORUEvent process of is as follows.
1. Check the remote connection.
2. When the remote connection is confirmed to generate a random Web addresses available for 30 minutes.
3. Inform the remote connection in fact generated any web address in the email address of the account used remotely.
4. If you have received this e-mail users, not one person connected to the address and click a Web address included in the mail. If you click on a difficult or forwarding mail to inform the administrators group.
5. If a user clicks on that informs the IP entered remotely from the server proceeds to block and user block the server connected to the manager group.
6. The web address is randomly generated, randomly generated and only valid URL, and then closed for 30 minutes.
HOW TO USE
Check to WHORU.ini (You can know option below this)
Run CMD –> whoruevent -i (If you want to install service type input to “-i” option. we offer to uninstall option “-u”).
1. Collect Event log
Collect Security log and System / Application Event log.
2. Powerful Operation – Optimize performance
one day make eventlog over 500Mbyte of one server, but WHORU Event is fine to send event exactly. and use low memory/cpu(below 5%)
3. Defense Hacker – Blocking connect server.
When connect server by remote desktop, WHORU EVENT make onetime webserver and send email for notice to account user.
If account user not connect this server just click to email link. Then block to connect source ip asap.
If you want to use email send when login remotely, setting user email properties.
How to Configuration
Syslog_IP=x.x.x.x Syslog Server IP
Email_IP=x.x.x.x SMTP IP
File=false record to log at file.
Syslog=true send to log at syslog server.
Email=true Email notice when logging success by remote desktop, this email include block link url.
Domain=asecurity.so when send email use this domain name and user email account. so if you want to use email option, we recommand to join to server by Active directory.
AdminEmailfirstname.lastname@example.org If you want to display adminitstrator address in email write here.
System=true System event log monitoring to Warring or more higher.
Application=true Application event log monitoring to Warring or more higher.
Login=true loggin event log monitoring.
NetworkLogon=false Network logging event monitoring.
Block=false It’s make block link and control serve firewall, When remote connect to server.