標籤:Get-WinEvent
Windows日誌篩選
因工作需求開啟檔案系統審核,因Windows日誌管理器並不方便篩選查閱,所以使用powershell方法進行篩選。
一、需求分析
存在問題
- 日誌量巨大(每天約1G)
- 日誌管理器查詢日誌不便
主要目標
- 啟用檔案系統審核
- 快捷查詢使用者的刪除操作
- 解決方案
- 採用輪替方式歸檔日誌(500MB)
- 日誌存放60天(可用指令碼刪除超到期限日誌檔案)
- 使用Get-WinEvent中的FilterXPath過日誌進行篩選,格式列印
- 刪除作業碼為0x10000,可對其進行篩選
二、檔案審核設定2.1 開啟檔案系統審核功能
- secpol.msc
- Advanced Audit Policy Configuration
- Object Access
- Audit File System
- [x] Configure the following audit events:
- [x] Success
- [x] Failure
2.2 建立共用資料夾
- Folder Properties
- Sharing
- Choose people to share with
- Everyone
2.3 設定檔案夾審核的使用者組
- Folder Properties
- Security
- Advanced
- Auditing
- Add user
三、方法
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 10:01:37 AM 4660 Information An object was deleted....5/22/2018 9:03:11 AM 4660 Information An object was deleted....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 10:01:37 AM 4663 Information An attempt was made to access an object....5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]] and *[EventData[Data[@Name=‘SubjectUserName‘]=‘lxy‘]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Windows\system32> $AccessMask=‘0x10000‘PS C:\Windows\system32> $UserName=‘lxy‘PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘$AccessMask‘]] and *[EventData[Data[@Name=‘SubjectUserName‘]=‘$UserName‘]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
PS C:\Users\F2844290> Get-WinEvent -Path ‘C:\Users\F2844290\Desktop\SaveSec.evtx‘ -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]]"PS C:\Windows\system32> $AccessMask=‘0x10000‘
- 篩選10分鐘內發生的安全性日誌
XML中時間計算單位為ms,10minute=60 10 1000=600000
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
若有文法不明之處,可參考日誌管理器中篩選當前日誌的XML方法。
四、其它檔案
Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 5/22/2018 9:03:11 AMEvent ID: 4663Task Category: File SystemLevel: InformationKeywords: Audit SuccessUser: N/AComputer: IDX-ST-05Description:An attempt was made to access an object.Subject: Security ID: IDX-ST-05\lxy Account Name: lxy Account Domain: IDX-ST-05 Logon ID: 0x2ed3b8Object: Object Server: Security Object Type: File Object Name: C:\Data\net.txt Handle ID: 0x444Process Information: Process ID: 0x4 Process Name: Access Request Information: Accesses: DELETE Access Mask: 0x10000Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4663</EventID> <Version>0</Version> <Level>0</Level> <Task>12800</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" /> <EventRecordID>1514</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="72" /> <Channel>Security</Channel> <Computer>IDX-ST-05</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data> <Data Name="SubjectUserName">lxy</Data> <Data Name="SubjectDomainName">IDX-ST-05</Data> <Data Name="SubjectLogonId">0x2ed3b8</Data> <Data Name="ObjectServer">Security</Data> <Data Name="ObjectType">File</Data> <Data Name="ObjectName">C:\Data\net.txt</Data> <Data Name="HandleId">0x444</Data> <Data Name="AccessList">%%1537 </Data> <Data Name="AccessMask">0x10000</Data> <Data Name="ProcessId">0x4</Data> <Data Name="ProcessName"> </Data> </EventData></Event>
File ReadAccesses: ReadData (or ListDirectory)AccessMask: 0x1File WriteAccesses: WriteData (or AddFile)AccessMask: 0x2File DeleteAccesses: DELETEAccessMask: 0x10000File RenameAccesses: DELETEAccessMask: 0x10000File CopyAccesses: ReadData (or ListDirectory)AccessMask: 0x1File Permissions ChangeAccesses: WRITE_DACAccessMask: 0x40000File Ownership ChangeAccesses: WRITE_OWNERAccessMask: 0x80000
Windows日誌篩選