Compilation Of Active Directory Logs Using Rust.

Reading Time: 4 minutes

Active Directory:

Active Directory (AD) is a Microsoft product that consists of several services that run on Windows Server to manage permissions and access to networked resources. It stores data as objects. An object is a single element, such as a user, group, application or device, like printer.

In this blog, we will discuss the Active Directory service provided by Windows Server, its workflow and then we will compile the Active Directory logs by using Rust programming language.

Fig: 1:- Active Directory Workflow.

Active Directory is a primary feature of Windows Server. Windows Server is an operating system that runs both local and Internet-based servers.

Active Directory also helps organisations to control and manage the overall running activities on their networks.

These are some essential services provided by Active Directory:-

  • Active Directory provides information about the user objects, computers, and services in the network.
  • It can also provide the tools to manage the user information stored in the database.
  • It also allows to manage the user accounts and resources, apply policies consistently as needed by an organisation.

Active Directory Web Services (ADWS) :

Active Directory Web Services (ADWS) is a feature in Windows server which is introduced in Windows server 2008 R2. It can enable the remote management of any local directory service instance by the use of Web Services.

Fig: 2:- Active Directory Web Services WorkFlow.

We can stop or start the Active Directory Web Services(ADWS), just like any other Windows service. However, the Active Directory Module for Windows PowerShell and the new Active Directory Administrative Center require the Active Directory Web Services for client connectivity.

It supports Windows Integrated authentication and simple authentication. It requires a server authentication certificate from a trusted certification authority.

Active Directory Domain Services (ADDS) :

Active Directory Domain Services (ADDS) is a service provided by Active Directory by which we can authenticate the users or computers connected with Active Directory. It is also called the Domain controller.

It can assigning and enforcing security policies for all computers and installing or updating software.

Fig: 3:- Active Directory Domain Services.

Key benefits provided by ADDS:

  • It can customise how your data is organised to meet your companies needs.
  • It can manage ADDS from any computer on the network.
  • ADDS provides built-in replication and redundancy: if one Domain Controller (DC) fails, another DC picks up the load.
  • All-access to network resources goes through ADDS, which keeps network access rights management centralised.

Logs of Active Directory:

The Active Directory can store all the activity logs of the server as well as the related services like ADDS and ADWS in the Security file.

The Path of security file is:

log_path:- C:\Windows\System32\winevt\Logs\Security.evtx

The log of the Active Directory can be viewed only on Event Viewer because the security file is in the evtx format.

Compile Active Directory logs:

Then to fetch the logs from the security file we want to use the Evtx parser which can give the logs in the form of json records.

Cargo.toml:

[dependencies]
evtx = "0.4.1"

main.rs:

fn main(){
    let parser: Result<EvtxParser<File>, Error> = EvtxParser::from_path(log_path);
    
}

After that to fetch the value from that parsed file we have to use a json parser, which can fetch the values from all the records of file.

The serde json is the Strongly typed JSON library for Rust. it can easily parse the data record by record. So we will use the serde_json to parse the data.

Cargo.toml:

[dependencies]
evtx = "0.4.1"
serde_json = "1.0.40"

Main.rs:

fn main(){
    let parser: Result<EvtxParser<File>, Error> = EvtxParser::from_path(log_path);
    for record in parser.records_json() {
        let data: Value = serde_json::from_str(&record.unwrap().data).unwrap();
        print!("{}  ", data["Event"]["System"]["EventID"].to_string());
        print!("{}  ", data["Event"]["EventData"]["IpAddress"].to_string());
        println!("{}", data["Event"]["EventData"]["ServiceName"].to_string());
    }
}

Then it will print the Event Id, Ip Address, and Service Name line by line.

Output:

“4628” “192.168.1.1” “John”

Note: I hope our blogs help you to enhance your learning. I’ll post more blogs on Rust. Stay Tuned.

If you want to read more content like this?  Subscribe Rust Times Newsletter and receive insights and latest updates, bi-weekly, straight into your inbox. Subscribe Rust Times Newsletter: https://bit.ly/2Vdlld7 .

Happy learning!!!

This image has an empty alt attribute; its file name is screenshot-from-2020-06-08-11-00-35.png
This image has an empty alt attribute; its file name is footer-2.jpg

Written by 

Pankaj Chaudhary is a Software Consultant at Knoldus LLP. He has 1.5+ years of experience with good knowledge of Rust, Python, Java, and C. Now he is working as Rust developer and also works on machine learning and data analysis because he loves to play with data and extract some useful information from it. His hobbies are bike riding and explore new places.