Windows日誌篩選
Windows日誌篩選
因工做需求開啓文件系統審覈,因Windows日誌管理器並不方便篩選查閱,因此使用powershell方法進行篩選。shell
1、需求分析
-
存在問題安全
- 日誌量巨大(天天約1G)
- 日誌管理器查詢日誌不便
-
主要目標ide
- 啓用文件系統審覈
- 快捷查詢用戶的刪除操做
- 解決方案
- 採用輪替方式歸檔日誌(500MB)
- 日誌存放60天(可用腳本刪除超過時限日誌檔案)
- 使用Get-WinEvent中的FilterXPath過日誌進行篩選,格式打印
- 刪除操做碼爲0x10000,可對其進行篩選
2、文件審覈設置
2.1 開啓文件系統審覈功能
- secpol.msc
- Advanced Audit Policy Configuration
- Object Access
- Audit File System
- [x] Configure the following audit events:
- [x] Success
- [x] Failure
2.2 創建共享文件夾
- Folder Properties
- Sharing
- Choose people to share with
- Everyone
2.3 設置文件夾審覈的用戶組
- Folder Properties
- Security
- Advanced
- Auditing
- Add user
2.4 設置日誌路徑及大小
- Event Viewer
- Windows Logs
- Security
- Log Properties
- Log Path: E:\FileLog\Security.evtx
- Maximum log size(KB): 512000
-
- [x] Archive the log when full,do not overwrite events
3、方法
- 篩選事件ID爲4460日誌
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]" ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2018 10:01:37 AM 4660 Information An object was deleted.... 5/22/2018 9:03:11 AM 4660 Information An object was deleted....
- 篩選文件刪除日誌
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]" ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2018 10:01:37 AM 4663 Information An attempt was made to access an object.... 5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 篩選指定用戶文件刪除日誌
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]" ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 以變量方式篩選指定用戶文件刪除日誌
PS C:\Windows\system32> $AccessMask='0x10000' PS C:\Windows\system32> $UserName='lxy' PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]" ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object....
- 從保存的文件篩選文件刪除日誌
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name=' AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
- 篩選10分鐘內發生的安全性日誌
XML中時間計算單位爲ms,10minute=60 10 1000=600000
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]" ProviderName: Microsoft-Windows-Security-Auditing TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object.... 5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object.... 5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object.... 5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....
- 其它篩選方法
如有語法不明之處,可參考日誌管理器中篩選當前日誌的XML方法。ui
- 刪除超過60天的存檔日誌並記錄
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object {
if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){
Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt
}
}
4、其它文件
- 文件刪除日誌結構
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/22/2018 9:03:11 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: IDX-ST-05
Description:
An attempt was made to access an object.
Subject:
Security ID: IDX-ST-05\lxy
Account Name: lxy
Account Domain: IDX-ST-05
Logon ID: 0x2ed3b8
Object:
Object Server: Security
Object Type: File
Object Name: C:\Data\net.txt
Handle ID: 0x444
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: DELETE
Access Mask: 0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
<EventRecordID>1514</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="72" />
<Channel>Security</Channel>
<Computer>IDX-ST-05</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
<Data Name="SubjectUserName">lxy</Data>
<Data Name="SubjectDomainName">IDX-ST-05</Data>
<Data Name="SubjectLogonId">0x2ed3b8</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\Data\net.txt</Data>
<Data Name="HandleId">0x444</Data>
<Data Name="AccessList">%%1537
</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="ProcessId">0x4</Data>
<Data Name="ProcessName">
</Data>
</EventData>
</Event>
- 文件操做碼錶
File Read Accesses: ReadData (or ListDirectory) AccessMask: 0x1 File Write Accesses: WriteData (or AddFile) AccessMask: 0x2 File Delete Accesses: DELETE AccessMask: 0x10000 File Rename Accesses: DELETE AccessMask: 0x10000 File Copy Accesses: ReadData (or ListDirectory) AccessMask: 0x1 File Permissions Change Accesses: WRITE_DAC AccessMask: 0x40000 File Ownership Change Accesses: WRITE_OWNER AccessMask: 0x80000
相關文章
- 1. Windows 日誌高級篩選實踐
- 2. xshell查看日誌 進行篩選
- 3. 篩選導出Windows系統記錄應用程序日誌
- 4. 日期篩選
- 5. 志篩選記錄、日誌切割、過時時間設置
- 6. mysql裏篩選生日
- 7. Windows 篩選平臺 (WFP)
- 8. ELK日誌分析Kibana——篩選語法基礎
- 9. 日誌快速篩選 之 linux命令grep|uniq|wc|awk
- 10. Axure學習日誌之中繼器篩選過濾
- 更多相關文章...
- • Windows Docker 安裝 - Docker教程
- • SQLite 日期 & 時間 - SQLite教程
- • 爲了進字節跳動,我精選了29道Java經典算法題,帶詳細講解
- • Java Agent入門實戰(二)-Instrumentation源碼概述
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章