您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
因工作需求开启文件系统审核,因Windows日志管理器并不方便筛选查阅,所以使用powershell方法进行筛选。
存在问题
主要目标
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4660 Information An object was deleted....
5/22/2018 9:03:11 AM 4660 Information An object was deleted....PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4663 Information An attempt was made to access an object....
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....若有语法不明之处,可参考日志管理器中筛选当前日志的XML方法。
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object {
if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){
Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt
}
}Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/22/2018 9:03:11 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: IDX-ST-05
Description:
An attempt was made to access an object.
Subject:
Security ID: IDX-ST-05\lxy
Account Name: lxy
Account Domain: IDX-ST-05
Logon ID: 0x2ed3b8
Object:
Object Server: Security
Object Type: File
Object Name: C:\Data\net.txt
Handle ID: 0x444
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
<EventRecordID>1514</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="72" />
<Channel>Security</Channel>
<Computer>IDX-ST-05</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
<Data Name="SubjectUserName">lxy</Data>
<Data Name="SubjectDomainName">IDX-ST-05</Data>
<Data Name="SubjectLogonId">0x2ed3b8</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\Data\net.txt</Data>
<Data Name="HandleId">0x444</Data>
<Data Name="AccessList">%%1537
</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName">
</Data>
</EventData>
</Event>File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2
File Delete
Accesses: DELETE
AccessMask: 0x10000
File Rename
Accesses: DELETE
AccessMask: 0x10000
File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000
File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。