Windows日誌篩選

標籤：Get-WinEvent

Windows日誌篩選

因工作需求開啟檔案系統審核，因Windows日誌管理器並不方便篩選查閱，所以使用powershell方法進行篩選。

一、需求分析

• 存在問題

  1. 日誌量巨大（每天約1G）
  2. 日誌管理器查詢日誌不便

• 主要目標

  1. 啟用檔案系統審核
  2. 快捷查詢使用者的刪除操作
• 解決方案
  1. 採用輪替方式歸檔日誌（500MB）
  2. 日誌存放60天（可用指令碼刪除超到期限日誌檔案）
  3. 使用Get-WinEvent中的FilterXPath過日誌進行篩選，格式列印
  4. 刪除作業碼為0x10000，可對其進行篩選

二、檔案審核設定2.1 開啟檔案系統審核功能

1. secpol.msc
2. Advanced Audit Policy Configuration
3. Object Access
4. Audit File System
   • [x] Configure the following audit events:
   • [x] Success
   • [x] Failure

2.2 建立共用資料夾

1. Folder Properties
2. Sharing
3. Choose people to share with
4. Everyone

2.3 設定檔案夾審核的使用者組

1. Folder Properties
2. Security
3. Advanced
4. Auditing
5. Add user

三、方法

• 篩選事件ID為4460日誌

PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 10:01:37 AM         4660 Information      An object was deleted....5/22/2018 9:03:11 AM          4660 Information      An object was deleted....

• 篩選檔案刪除日誌

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 篩選指定使用者檔案刪除日誌

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]] and *[EventData[Data[@Name=‘SubjectUserName‘]=‘lxy‘]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 以變數方式篩選指定使用者檔案刪除日誌

PS C:\Windows\system32> $AccessMask=‘0x10000‘PS C:\Windows\system32> $UserName=‘lxy‘PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘$AccessMask‘]] and *[EventData[Data[@Name=‘SubjectUserName‘]=‘$UserName‘]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 從儲存的檔案篩選檔案刪除日誌

PS C:\Users\F2844290> Get-WinEvent -Path ‘C:\Users\F2844290\Desktop\SaveSec.evtx‘ -FilterXPath "*[EventData[Data[@Name=‘AccessMask‘]=‘0x10000‘]]"PS C:\Windows\system32> $AccessMask=‘0x10000‘

• 篩選10分鐘內發生的安全性日誌
  XML中時間計算單位為ms，10minute=60 10 1000=600000

PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....

• 其它

若有文法不明之處，可參考日誌管理器中篩選當前日誌的XML方法。

四、其它檔案

• 檔案刪除日誌結構

Log Name:      SecuritySource:        Microsoft-Windows-Security-AuditingDate:          5/22/2018 9:03:11 AMEvent ID:      4663Task Category: File SystemLevel:         InformationKeywords:      Audit SuccessUser:          N/AComputer:      IDX-ST-05Description:An attempt was made to access an object.Subject:    Security ID:        IDX-ST-05\lxy    Account Name:       lxy    Account Domain:     IDX-ST-05    Logon ID:       0x2ed3b8Object:    Object Server:  Security    Object Type:    File    Object Name:    C:\Data\net.txt    Handle ID:  0x444Process Information:    Process ID: 0x4    Process Name:   Access Request Information:    Accesses:   DELETE    Access Mask:    0x10000Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  <System>    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />    <EventID>4663</EventID>    <Version>0</Version>    <Level>0</Level>    <Task>12800</Task>    <Opcode>0</Opcode>    <Keywords>0x8020000000000000</Keywords>    <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />    <EventRecordID>1514</EventRecordID>    <Correlation />    <Execution ProcessID="4" ThreadID="72" />    <Channel>Security</Channel>    <Computer>IDX-ST-05</Computer>    <Security />  </System>  <EventData>    <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>    <Data Name="SubjectUserName">lxy</Data>    <Data Name="SubjectDomainName">IDX-ST-05</Data>    <Data Name="SubjectLogonId">0x2ed3b8</Data>    <Data Name="ObjectServer">Security</Data>    <Data Name="ObjectType">File</Data>    <Data Name="ObjectName">C:\Data\net.txt</Data>    <Data Name="HandleId">0x444</Data>    <Data Name="AccessList">%%1537                </Data>    <Data Name="AccessMask">0x10000</Data>    <Data Name="ProcessId">0x4</Data>    <Data Name="ProcessName">    </Data>  </EventData></Event>

• 檔案作業碼表

File ReadAccesses: ReadData (or ListDirectory)AccessMask: 0x1File WriteAccesses: WriteData (or AddFile)AccessMask: 0x2File DeleteAccesses: DELETEAccessMask: 0x10000File RenameAccesses: DELETEAccessMask: 0x10000File CopyAccesses: ReadData (or ListDirectory)AccessMask: 0x1File Permissions ChangeAccesses: WRITE_DACAccessMask: 0x40000File Ownership ChangeAccesses: WRITE_OWNERAccessMask: 0x80000

Windows日誌篩選