Windows日志筛选
Windows日志筛选
因工作需求开启文件系统审核,因Windows日志管理器并不方便筛选查阅,所以使用powershell方法进行筛选。
创新互联公司是一家以网络技术公司,为中小企业提供网站维护、网站设计制作、成都网站设计、网站备案、服务器租用、空间域名、软件开发、微信小程序等企业互联网相关业务,是一家有着丰富的互联网运营推广经验的科技公司,有着多年的网站建站经验,致力于帮助中小企业在互联网让打出自已的品牌和口碑,让企业在互联网上打开一个面向全国乃至全球的业务窗口:建站服务电话:13518219792
一、需求分析
存在问题
- 日志量巨大(每天约1G)
- 日志管理器查询日志不便
主要目标
- 启用文件系统审核
- 快捷查询用户的删除操作
- 解决方案
- 采用轮替方式归档日志(500MB)
- 日志存放60天(可用脚本删除超过期限日志档案)
- 使用Get-WinEvent中的FilterXPath过日志进行筛选,格式打印
- 删除操作码为0x10000,可对其进行筛选
二、文件审核设置
2.1 开启文件系统审核功能
- secpol.msc
- Advanced Audit Policy Configuration
- Object Access
- Audit File System
- [x] Configure the following audit events:
- [x] Success
- [x] Failure
2.2 建立共享文件夹
- Folder Properties
- Sharing
- Choose people to share with
- Everyone
2.3 设置文件夹审核的用户组
- Folder Properties
- Security
- Advanced
- Auditing
- Add user
2.4 设置日志路径及大小
- Event Viewer
- Windows Logs
- Security
- Log Properties
- Log Path: E:\FileLog\Security.evtx
- Maximum log size(KB): 512000
-
- [x] Archive the log when full,do not overwrite events
三、方法
- 筛选事件ID为4460日志
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4660 Information An object was deleted....
5/22/2018 9:03:11 AM 4660 Information An object was deleted....
- 筛选文件删除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 10:01:37 AM 4663 Information An attempt was made to access an object....
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 筛选指定用户文件删除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 以变量方式筛选指定用户文件删除日志
PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 从保存的文件筛选文件删除日志
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
- 筛选10分钟内发生的安全性日志
XML中时间计算单位为ms,10minute=60 10 1000=600000
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
- 其它筛选方法
若有语法不明之处,可参考日志管理器中筛选当前日志的XML方法。
- 删除超过60天的存档日志并记录
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object {
if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){
Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt
}
}
四、其它文件
- 文件删除日志结构
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/22/2018 9:03:11 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: IDX-ST-05
Description:
An attempt was made to access an object.
Subject:
Security ID: IDX-ST-05\lxy
Account Name: lxy
Account Domain: IDX-ST-05
Logon ID: 0x2ed3b8
Object:
Object Server: Security
Object Type: File
Object Name: C:\Data\net.txt
Handle ID: 0x444
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
Event Xml:
4663
0
0
12800
0
0x8020000000000000
1514
Security
IDX-ST-05
S-1-5-21-1815651738-4066643265-3072818021-1004
lxy
IDX-ST-05
0x2ed3b8
Security
File
C:\Data\net.txt
0x444
%%1537
0x10000
0x4
- 文件操作码表
File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2
File Delete
Accesses: DELETE
AccessMask: 0x10000
File Rename
Accesses: DELETE
AccessMask: 0x10000
File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1
File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000
File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000
名称栏目:Windows日志筛选
链接分享:http://ybzwz.com/article/isjdjh.html