Windows日志筛选

发布时间:2020-07-30 12:38:25 作者:ikulin
来源:网络 阅读:2180

Windows日志筛选

因工作需求开启文件系统审核,因Windows日志管理器并不方便筛选查阅,所以使用powershell方法进行筛选。

一、需求分析

二、文件审核设置

2.1 开启文件系统审核功能

  1. secpol.msc
  2. Advanced Audit Policy Configuration
  3. Object Access
  4. Audit File System
    • [x] Configure the following audit events:
    • [x] Success
    • [x] Failure

2.2 建立共享文件夹

  1. Folder Properties
  2. Sharing
  3. Choose people to share with
  4. Everyone

2.3 设置文件夹审核的用户组

  1. Folder Properties
  2. Security
  3. Advanced
  4. Auditing
  5. Add user

2.4 设置日志路径及大小

  1. Event Viewer
  2. Windows Logs
  3. Security
  4. Log Properties
  5. Log Path: E:\FileLog\Security.evtx
  6. Maximum log size(KB): 512000
    • [x] Archive the log when full,do not overwrite events

三、方法

PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4660 Information      An object was deleted....
5/22/2018 9:03:11 AM          4660 Information      An object was deleted....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....

若有语法不明之处,可参考日志管理器中筛选当前日志的XML方法。

Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {

if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){

Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt

} 
}

四、其它文件

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/22/2018 9:03:11 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IDX-ST-05
Description:
An attempt was made to access an object.

Subject:
    Security ID:        IDX-ST-05\lxy
    Account Name:       lxy
    Account Domain:     IDX-ST-05
    Logon ID:       0x2ed3b8

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\Data\net.txt
    Handle ID:  0x444

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
    <EventRecordID>1514</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>IDX-ST-05</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
    <Data Name="SubjectUserName">lxy</Data>
    <Data Name="SubjectDomainName">IDX-ST-05</Data>
    <Data Name="SubjectLogonId">0x2ed3b8</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">C:\Data\net.txt</Data>
    <Data Name="HandleId">0x444</Data>
    <Data Name="AccessList">%%1537
                </Data>
    <Data Name="AccessMask">0x10000</Data>
    <Data Name="ProcessId">0x4</Data>
    <Data Name="ProcessName">
    </Data>
  </EventData>
</Event>
File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2

File Delete
Accesses: DELETE
AccessMask: 0x10000

File Rename
Accesses: DELETE
AccessMask: 0x10000

File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000

File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000
推荐阅读:
  1. Windows 系统日志ID分析
  2. 使用rsync备份Windows事件日志

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

get-winevent dow %d

上一篇:内建函数的使用

下一篇:CentOS7上快速搭建FTP服务器,基于本地用户访问

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》