Usage of windows Security Log Analysis Tool logparser
Introduction to logparser
First, let's take a look at the Logparser architecture diagram and familiarize ourselves with this diagram, which is of great benefit for us to understand and use Logparser.
In short, our input sources (log sources in multiple formats) can output the desired format after being processed by SQL statements (processed by an SQL engine.
1. Input Source
It can be seen from this that its basic processing logic, first, the input source is a fixed format, such as EVT (event), Registry (Registry), etc, for each input source, the field values it covers are fixed. You can use logparser-h-I: EVT To Find Out (Here we use EVT as an example ):
Here are some optional parameters. You can control the query results during query, however, we need to focus on the field values contained in a certain type of log structure (matching specific segments in SQL queries ):
For the detailed meaning of each type of field value, we can refer to the reference section of the built-in document of logparser. Here we take EVT (event) as an example:
2. Output Source
The output can be in multiple formats, such as text (CSV, etc.) or written to a database to form a chart. custom files (using TPL) can be formed based on your own needs.
Basic query Structure
After learning about the input and output sources, let's look at a basic query structure.
Logparser.exe-I: EVT-o: DATAGRID "SELECT * FROM E: \ logparser \ xx. evtx"
This is a basic query. The input format is EVT (event), the output format is DATAGRID (GRID), and then the SQL statement to query E: \ logparser \ xx. all fields of evtx are displayed as a grid:
Here, you must have understood that for windows security log analysis, we only need to retrieve the key for judgment or comparison, we can extract the information we want from the huge windows security log.
Windows Security Log Analysis
For windows security log analysis, we can take out the values we care about based on our own analysis needs, and then conduct statistics, matching, and comparison to effectively obtain information, here, we use the event id of windows security logs to quickly retrieve the information we care about. Different EVENT IDs represent different meanings, which can be easily found online, here are some of the things we usually use.
With this, we can analyze windows logs. For example, when we analyze domain control logs, we want to query the information about the user's correct account and wrong password during account logon, when we need to calculate the source IP address, time, and user name, we can write this (of course, we can also combine some statistical functions, group statistics, and so on ):
LogParser.exe-I: EVT "SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS USERNAME, EXTRACT \ _ TOKEN (Strings, 2, '| ') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client_IP FROM 'e: \ logparser \ xx. evtx 'where EventID = 675"
The query result is as follows:
To collect statistics on specific IP addresses, we can write this statement (NAT output by default ):
LogParser.exe-I: EVT "SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS USERNAME, EXTRACT \ _ TOKEN (Strings, 2, '| ') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client \ _ ip from 'e: \ logparser \ xx. evtx WHERE EventID = 675 and extract \ _ TOKEN (Strings, 5, '|') = 'x. x. x. x '"
Or save the query as an SQL statement:
SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS UserName, EXTRACT \ _ TOKEN (Strings, 1, '|') AS Domain, EXTRACT \ _ TOKEN (Strings, 13, '|') AS SouceIP, EXTRACT \ _ TOKEN (Strings, 14, '|') AS SourcePort FROM 'e: \ logparser \ xx. evtx 'where EXTRACT_TOKEN (Strings, 13, '|') = '% ip %'
Then, call
Logparser.exe file: e: \ logparser \ ipCheck. SQL? Ip = x. x-I: EVT-o: NAT
The query result is:
How is it? Is it clear? Locate the abnormal IP address based on specific logon events and the connection status during the exception period.
We can also select other output formats for log analysis and statistics. All the above operations are completed under the command line. For friends who like the graphic interface, We also have choices! Here we can choose to use LogParser Lizard. For Log Parser Lizard in the GUI environment, it is easy to use and does not even need to remember complicated commands. You only need to set up and write basic SQL statements, you can get the results intuitively. Here we will show you how to select the query type first.
Here we select windows event log and enter the query statement:
For example:
SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') as username, EXTRACT \ _ TOKEN (Strings, 2, '|') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client \ _ ip from 'e: \ logparser \ xx. evtx WHERE EventID = 675 and extract \ _ TOKEN (Strings, 5, '|') = 'x. x. x. x'
The query result is (and there are multiple query formats ):
You can try other functions ~
Summary
Here we will briefly introduce some examples of using logparser in windows Security Log Analysis. logparser has powerful functions and can analyze multiple types of logs, combined with the commercial version of Logparser Lizard, you can customize a lot of beautiful report presentations, graphic statistics, and other functions. For other functions, let's explore them ~