Today, I will tell you how to do Window log analysis ~ log analysis series articles include the following content, welcome to continue to pay attention to us.

0x01 Window Description of event logs

Windows system logs record information about hardware, software, and system problems, and monitor events occurring in the system. Users can use it to check why errors occur or to look for traces left by attackers when they are attacked.

Windows logs record system events: application logs, system logs, and security logs.

The system log

Records events generated by operating system components, including crashes of drivers, system components, and application software, and data loss errors. The time types recorded in system logs are predefined by the Windows NT/2000 operating system. Default location: %SystemRoot%\System32\Winevt\Logs\ system.evtxCopy the code

Application logging

Contains events that are logged by an application or system program, mainly to record the execution aspects of the program. For example, a database program can log file errors in the application log, and the program developer can decide which events to monitor. If an application crashes, we can find a record in the program event log, which may help you resolve the problem. Default location: %SystemRoot%\System32\Winevt\Logs\ application.evtxCopy the code

The security log

Record security audit events of the system, including various types of login logs, object access logs, process tracing logs, privilege usage, account management, policy changes, and system events. Security logs are also the most commonly used logs in investigation and evidence collection. Security logging is turned off by default, and administrators can use group policies to enable security logging or set auditing policies in the registry to make the system stop responding when security logging is full. Default location: %SystemRoot%\System32\Winevt\Logs\ security.evtxCopy the code

System and application logs store troubleshooting information and are more useful to system administrators. More helpful to investigators, security logs record event audit information, including user authentication (login, remote access, and so on) and what a particular user did to the system after authentication.

0X02 Audit Policy and Event Viewer

The audit function of the Windows Server 2008 R2 operating system is not enabled by default. You are advised to enable the audit policy. If a fault or security accident occurs in the system in the future, you can view the system log file to rectify the fault and trace the information about intruders.

PS: Some simple logs are also recorded by default. The default log size is 20 MB

Settings 1: Start → Management Tools → Local security Policy → Local Policy → Audit Policy

Setting 2: Set reasonable log attributes, such as the maximum log size and event coverage threshold.

Method for viewing system logs:

  1. On the Start menu, point to All Programs, then Administrative Tools, and then click Event Viewer
  2. Press “Window+R” and type “eventVwr. MSC” to go directly to “Event Viewer”

0x03 Analyzing Event Logs

For Windows EVENT log analysis, different EVENT ids represent different meanings. Some common security events are summarized:

Each successful login event is marked with a login type, and different login types represent different ways:

For more information about EVENT ids, please refer to “Notes on Security Events in Windows Vista and Windows Server 2008” on Microsoft’s official website.

Original link: support.microsoft.com/zh-cn/help/…

Example 1: You can use the eventlog event to view system account logins:

  1. On the Start menu, point to All Programs, Then Administrative Tools, and then click Event Viewer.
  2. In the event viewer, click ** security ** to view security logs;
  3. In the operation on the right of security log, click ** “Filter current log” ** and enter the event ID to filter. 4624 — Login succeeded 4625 — Login failed 4634 — logout succeeded 4647 — User started logout 4672 — Log in as a super user (such as an administrator)

We input event ID: 4625 for log filtering, and find event ID: 4625, event number 175904, that is, user login failed 175904 times, then the administrator account of the server may encounter violent guess solution.

Case 2: You can use the Eventlog event to view the record of a computer turning on or off:

1. On the “Start” menu, point to “All Programs”, “Administrative Tools”, and then click “Event Viewer”.

2. In the event viewer, click System to view system logs.

3. In the operation on the right of the system log, click ** “Filter Current log” ** and enter the event ID to filter.

Event IDS 6006 ID6005 and ID 6009 indicate the status of different machines (on or off). 6005 info EventLog the EventLog service is started. (startup) 6006 info EventLog the EventLog service is stopped. 6009 info EventLog Press CTRL, Alt, or Delete to shut down the device

We input event ID: 6005-6006 for log filtering, and found two records at about 17:53:51 on 2018/7/6, that is, the time when I restarted the system just now.

0x04 Log Analysis Tool

Log Parser

Log Parser is a Log analysis tool from Microsoft. It is powerful and simple to use. It can analyze text-based Log files, XML files, CSV (comma delimiter) files, operating system event logs, registers, file systems, and Active Directory. It can query and analyze the data in the same way as SQL statements, and even display the analysis results in various charts.

Log Parser 2.2 Download address: www.microsoft.com/en-us/downl…

The Log Parser using the sample: mlichtenberg.wordpress.com/2011/02/03/…

Basic query structure

Exe -i :EVT -o :DATAGRID "SELECT * FROM C :\xx.evtx"Copy the code

Use Log Parser to analyze logs

1. Query the events of successful login

Exe -i:EVT -o :DATAGRID "SELECT * FROM C: security. evtx where EventID=4624" Events within the specified login time range: Exe -i:EVT -- o:DATAGRID "SELECT * FROM C: security. evtx where TimeGenerated>'2018-06-19 23:32:11' and TimeGenerated<'2018-06-20 23:34:00' and EventID=4624" LogParser. Exe -I :EVT -o :DATAGRID "SELECT EXTRACT_TOKEN(Message,13, ") as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM c:\Security.evtx where EventID=4624"Copy the code

2. Query the events of login failures

Exe -i:EVT -o :DATAGRID "SELECT * FROM C: security. evtx where EventID=4625"  LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) as Times,EXTRACT_TOKEN(Message,39,' ') as Loginip FROM c:\Security.evtx where EventID=4625 GROUP BY Message"Copy the code

3. System switching record:

LogParser. Exe -i: EVT - o: DATAGRID "SELECT TimeGenerated, EventID, Message FROM c: \ System. Evtx where EventID = 6005 or EventID=6006"Copy the code

LogParser Lizard

Log Parser Lizard in GUI environment is easy to use. It doesn’t even need to memorize complicated commands. You only need to set up and write basic SQL statements to get results intuitively.

Download: www.lizard-labs.com/log\_parser…

Microsoft.net Framework 4.5, download: www.microsoft.com/en-us/downl…

Query the recent login status of the user:

Event Log Explorer

Event Log Explorer is a very useful Log analysis tool for Windows. It can be used to view, monitor and analyze event records, including security, systems, applications and other Microsoft Windows records recorded events. Its powerful filtering capabilities can quickly filter out valuable information.

Download address: event-log-explorer.en.softonic.com/