Purpose: Track privileged user activity in Windows logs.
Logic:
If logon event contains token_elev %1937 or %1938 save the logon_id (hex value) to a dynamic priv_logons list.
For subsequent events, if the logon_id in the event matches one of the entries in priv_logons list, add a 'privileged' tag to the event.
When receiving a logoff event with one of the logon_ids saved in priv_logons list, remove it from the list.
Is this doable in LogStash? If yes, how?
Not with Logstash alone.
Logstash does not maintain internal states or data objects in between events, it is simply a parsing engine.
Logstash may help you create this kind of solution by doing the parsing work and then passing clean and sensible data to a program which performs the logic you are looking for.
Related
I'm creating an application in which users can create notes that are displayed in a grid. When a note is created, a corresponding text file is also created. When a user opens the application, the application reads the directory of note files, retrieves the content of each note file, and then displays it in the grid.
The idea is to make the grid of notes rearrangeable via drag-and-drop.
I've never done anything this before, so I'm struggling to devise an efficient way to cache or remember the order in which the user has arranged the notes. I thought of storing the position of each note in the filename itself.
1_note3.txt
2_note7.txt
3_note4.txt
4_note2.txt
5_note6.txt
6_note8.txt
7_note5.txt
8_note1.txt
This doesn't seem like a good approach since, anytime the the notes are rearranged, I'll have to rename a bunch of the files. For example, say the user creates a new note — which would be inserted as the first child of the grid for the sake of user experience — all of the filenames would have to be renamed.
1_note9.txt
2_note3.txt
3_note7.txt
4_note4.txt
5_note2.txt
6_note6.txt
7_note8.txt
8_note5.txt
9_note1.txt
Further, say a user now rearranges the notes by moving the first note to the fourth position in the top row. I'd now have to rename that file and all of the following files.
2_note3.txt
3_note7.txt
4_note4.txt
5_note9.txt
6_note2.txt
7_note6.txt
8_note8.txt
9_note5.txt
10_note1.txt
I could also store the order or arrangement in a separate file, and exclusively manipulate the content of this file instead of the actual filenames.
arrangement.txt
note3.txt
note7.txt
note4.txt
...
Although this may be superior to the last approach, it also doesn't seem that great since there is still additional overhead. For instance, when the application is launched, I'll first have to read that file in order to obtain the user arrangement before sorting files accordingly.
Does anybody have any experience implementing something like this? Is there a better way to go about it?
You may like to maintain state of your note grid in a key-value map data structure. you can cache this map in-memory or persist it in a separate file. This key-value map will store note grid data where "Key" will have position order in the grid and "Value" will have name of the corresponding text file. In case notes are rearranged you only need to update value of two keys.
I'm trying to read in and loop through a configuration file which contains different mongoURIs and then trying to monitor their activity using mongo-oplog. I don't really know how to set the listeners (such as for update, insert, and delete) for all of these databases dynamically. Any ideas as to how I can go about doing so?
This is what I ended up doing (in case it helps someone out in the future).
I stored each URI in a list along with anther list that contains it's details like DB and collection name, and it turns out that you can loop through the list and set up each mongo-oplog one by one.
After you're done doing that the listeners are still active and whatever action you specified will be executed without you having to do anything related to the mongo-oplog again.
I want to add logging capabilities in my Lotus Notes application. Basically I want to be able to log who make the change, when the change is made, and what field(s) is/are changed in a document. What is the best way to do this? I am thinking to also add this at the end of each document so the user knows who make the changes.
OpenNTF has several tools for this purpose that you could use, including Open Audit and Audit Manager.
I've done this before using LotusScript. It's a bit of a pain, but the basic idea is to:
Create an array or new document object within the QueryOpen event, and store the values for all the items in the current document.
In your QuerySave event, compare the values of the current document to the in-memory copy you made, and then log any differences.
You can create a field on the form to write these changes to, and just append to it each time.
Watch out for other event handlers that make changes everytime the document opens, though. You may need to copy original values in the PostOpen event, for example, if you change some fields in the QueryOpen event each time the doc opens, otherwise you'd get false change logs.
Hope this helps!
A "brute force" approach can also work. Every time a document is saved, create a copy of that version to a (separate) database. This will build an audit trail of the documents. The documents can be compared to extract the changes.
There is quite some overhead in this approach, but in my experience it has been worth it. The implementation is simple and all changes are captured without affecting the actual document. All information that is needed is captured and available for (offline) processing.
I need to trigger alert, if value of particular column (say marks<8, send mail to manager) changes.
What should I do?
Some kinds of lists (e.g. tasks) allow to send alerts when someone changes an item that appears in a particular view. Read the article Use SharePoint Filtered Views to Stop Sending Alerts to Yourself to get all the details (appropriate section begins with Well you need to set up a filtered view).
If you list supports this feature, first create a view that shows only the items that satisfy your marks<8 condition and then configure an alert that uses this view.
You can implement an event handler on the list to do this :
http://www.c-sharpcorner.com/UploadFile/Chandresh.P/EventHandler04292009070324AM/EventHandler.aspx
I'm aware of the event receivers on a list for items added etc. However, I have not found a way to fire code upon the creation of a list.
What I'm trying to do is associate a workflow with a list when the list is created (by the user through the UI).
Anyone any ideas?
thanks.
There are a couple of routes you can take...
You can write your own list definition where you have defined the workflow association - That way all lists created based on your list definition, will contain your workflow on default.
Or... depending on your workflow... write an EventReceiver your attach to all lists of the type you wish to attach your workflow to (can easily be achieved tru a feature) and have your event receiver associate the workflow when the first item is added.
or you can associate the workflow to the contenttype used in the list (your own contenttype you attach to your own list definition or a default SharePoint contenttype)
I don't know the rest of your solution, so it's defficult for me to suggest the best solution for you.
What I (almost) always do, is write my own list definition - That way I can avoid problems like this, now or in the future.
With SharePoint 2010 it is now possible to hook into the list creation event by overriding the ListAdded event in the SPListEventReceiver class.
I usually deploy an extra view page which is set to the default view. When the user creates the list he will be sent to the viewpage which contains the setup in code behind. The view page then calls a method ive created, which changes the default view, removes the setup view and change any navigation node pointing to the setup view.
There is probably no perfect answer to this question because there is no list added event receiver (if memory serves me correct).
I don't know if this is the case, but if you really just needed to register an itemadded (or updated, deleted, etc.) event to any new list, I believe you can register the those events at the site (SPWeb) level and they will fire on any new lists created.