Windows Security Log Analysis-logparser

Source: Internet
Author: User

Windows Security Log Analysis-logparser

0x01 Preface

During work, especially in emergency response, when you encounter security events related to windows domain control intrusion, you often need to analyze windows security logs, which are usually very large. At this time, it is especially important to analyze windows security logs efficiently and extract the useful information we want. Here we recommend a common windows Log Analysis Tool, logparser. The current version is 2.2.

0x02 introduction to logparser

First, let's take a look at the Logparser architecture diagram and familiarize ourselves with this diagram, which is of great benefit for us to understand and use Logparser.

In short, our input sources (log sources in multiple formats) can output the desired format after being processed by SQL statements (processed by an SQL engine.

1. Input Source

It can be seen from this that its basic processing logic, first, the input source is a fixed format, such as EVT (event), Registry (Registry), etc, for each input source, the field values it covers are fixed. You can use logparser-h-I: EVT To Find Out (Here we use EVT as an example ):

Here are some optional parameters. You can control the query results during query, however, we need to focus on the field values contained in a certain type of log structure (matching specific segments in SQL queries ):

For the detailed meaning of each type of field value, we can refer to the reference section of the built-in document of logparser. Here we take EVT (event) as an example:

2. The output source output can be in a variety of formats, such as text (CSV, etc.) or written to the database to form a chart. custom files (using TPL) can be formed based on your own needs.

0x03 basic query Structure

After learning about the input and output sources, let's look at a basic query structure.

Logparser.exe-I: EVT-o: DATAGRID "SELECT * FROM E: \ logparser \ xx. evtx"

This is a basic query. The input format is EVT (event), the output format is DATAGRID (GRID), and then the SQL statement to query E: \ logparser \ xx. all fields of evtx are displayed as a grid:

Here, you must have understood that for windows security log analysis, we only need to retrieve the key for judgment or comparison, we can extract the information we want from the huge windows security log.

0x04 windows Security Log Analysis

For windows security log analysis, we can take out the values we care about based on our own analysis needs, and then conduct statistics, matching, and comparison to effectively obtain information, here, we use the event id of windows security logs to quickly retrieve the information we care about. Different EVENT IDs represent different meanings, which can be easily found online, here are some of the things we usually use.

With this, we can analyze windows logs. For example, when we analyze domain control logs, we want to query the information about the user's correct account and wrong password during account logon, when we need to calculate the source IP address, time, and user name, we can write this (of course, we can also combine some statistical functions, group statistics, and so on ):

LogParser.exe-I: EVT "SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS USERNAME, EXTRACT \ _ TOKEN (Strings, 2, '| ') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client_IP FROM 'e: \ logparser \ xx. evtx 'where EventID = 675"

The query result is as follows:

To collect statistics on specific IP addresses, we can write this statement (NAT output by default ):

LogParser.exe-I: EVT "SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS USERNAME, EXTRACT \ _ TOKEN (Strings, 2, '| ') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client \ _ ip from 'e: \ logparser \ xx. evtx WHERE EventID = 675 and extract \ _ TOKEN (Strings, 5, '|') = 'x. x. x. x '"

Or save the query as an SQL statement:

SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') AS UserName, EXTRACT \ _ TOKEN (Strings, 1, '|') AS Domain, EXTRACT \ _ TOKEN (Strings, 13, '|') AS SouceIP, EXTRACT \ _ TOKEN (Strings, 14, '|') AS SourcePort FROM 'e: \ logparser \ xx. evtx 'where EXTRACT_TOKEN (Strings, 13, '|') = '% ip %'

Then, call

Logparser.exe file: e: \ logparser \ ipCheck. SQL? Ip = x. x-I: EVT-o: NAT

The query result is:

How is it? Is it clear? Locate the abnormal IP address based on specific logon events and the connection status during the exception period.

We can also select other output formats for log analysis and statistics. All the above operations are completed under the command line. For friends who like the graphic interface, We also have choices! Here we can choose to use LogParser Lizard. For Log Parser Lizard in the GUI environment, it is easy to use and does not even need to remember complicated commands. You only need to set up and write basic SQL statements, you can get the results intuitively. Here we will show you how to select the query type first.

Here we select windows event log and enter the query statement: for example:

SELECT TimeGenerated, EXTRACT \ _ TOKEN (Strings, 0, '|') as username, EXTRACT \ _ TOKEN (Strings, 2, '|') as service \ _ NAME, EXTRACT \ _ TOKEN (Strings, 5, '|') AS Client \ _ ip from 'e: \ logparser \ xx. evtx WHERE EventID = 675 and extract \ _ TOKEN (Strings, 5, '|') = 'x. x. x. x'

The query result is (and there are multiple query formats ):

You can try other functions ~

0x05 Summary

Here we will briefly introduce some examples of using logparser in windows Security Log Analysis. logparser has powerful functions and can analyze multiple types of logs, combined with the commercial version of Logparser Lizard, you can customize a lot of beautiful report presentations, graphic statistics, and other functions. For other functions, let's explore them ~

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.