常见事件ID
4778,4779 远程桌面 重连或者断开 有远程登录的 ip和 客户端名
4624 登录成功 有远程登录的 ip和 客户端名
4625 登录失败 服务器是否在受到暴力破解
4634 – 注销成功
4647 – 用户启动的注销
4672 – 使用超级用户(如管理员)进行登录
4720 - 创建账户
4726 - 删除用户账号
4728 - 在组中添加成员 伴随4720 产生
4729 - 从组中删除成员
4624的 登录类型
| 登录类型 | 描述 | 说明 |
| :------- | ------------------------------- | ------------------------------------------------ |
| 2 | 交互式登录(Interactive) | 用户在本地进行登录。 |
| 3 | 网络(Network) | 最常见的情况就是连接到共享文件夹或共享打印机时。 |
| 4 | 批处理(Batch) | 通常表明某计划任务启动。 |
| 5 | 服务(Service) | 每种服务都被配置在某个特定的用户账号下运行。 |
| 7 | 解锁(Unlock) | 屏保解锁。 |
| 8 | 网络明文(NetworkCleartext) | 登录的密码在网络上是通过明文传输的,如FTP。 |
| 9 | 新凭证(NewCredentials) | 使用带/Netonly参数的RUNAS命令运行一个程序。 |
| 10 | 远程交互,(RemoteInteractive) | 通过终端服务、远程桌面或远程协助访问计算机。 |
| 11 | 缓存交互(CachedInteractive) | 以一个域用户登录而又没有域控制器可用 |
参考
https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/
安装
下载地址
https://www.microsoft.com/en-us/download/details.aspx?id=24659
双击安装包
中间选择 custom setup
默认位置 安装好
导入环境变量
C:\Program Files (x86)\Log Parser 2.2
使用
cmd
查看使用方法
logparses
使用方法
1、导出为execl能打开的格式
logparser -i:evt -o:csv "select * from c:\sec.evt" > d:sec.csv
logparser -i:evt -o:csv "select * from security" > d:sec.csv
logparser -i:evt -o:nat "select * into a.txt from security"
logparser -i:evt -o:csv "select TimeGenerated,EventID,Message from c:\sec.evt" > d:sec.csv
logparser -i:evt -o:TPL -tpl:EventLogs.tpl "select * into b.html from d:\sec.evt"
使用条件语句:
SELECT TimeGenerated, EventTypeName, SourceName FROM System
WHERE ( SourceName = 'Service Control Manager' AND EventID >= 7024) OR
( SourceName = 'W32Time')
SELECT * FROM Security
WHERE Message LIKE '%logon%'
A、在iis日志中搜索特殊链接
LogParser -o:csv "SELECT * into a.csv FROM iis.log where EXTRACT_EXTENSION(cs-uri-stem) LIKE 'asp'"
B、最经典的例子,对日志中的url进行归并统计
LogParser -o:csv "SELECT cs-uri-stem, COUNT(*) into a.csv FROM iis.log GROUP BY cs-uri-stem"
c、统计所有日志
LogParser -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM ex*.log GROUP BY cs-uri-stem"
LogParser -i:iisw3c -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM *.log GROUP BY cs-uri-stem"
d、对文件后缀进行排名
LogParser -i:iisw3c -o:csv "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS PageType, COUNT(*) into a.cssv FROM *.log GROUP BY PageType"
e、得到所有的不重复的链接
LogParser -i:iisw3c -o:csv "SELECT distinct cs-uri-stem into a.csv FROM *.log"
2、生成百分比饼图
LogParser "SELECT EventID, COUNT(*) AS Times INTO Chart.gif FROM d:\tmp\sec.evt GROUP BY EventID ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"
3、http日志
LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
querytop.sql:
SELECT TOP 10 cs-uri-stem AS Url,
COUNT(*) AS Hits
INTO Urls.gif
FROM <1>
GROUP BY Url
ORDER BY Hits DESC
4、在html页面里找关键字
Return the lines in an HTML document that contain links to other pages:
LogParser "SELECT Text FROM http://www.microsoft.adatum.com WHERE Text LIKE '%href%'" -i:TEXTLINE
5、MD5 Hashes of System Files
LogParser "SELECT Path, HASHMD5_FILE(Path) into a.txt FROM C:\Windows\System32\*.exe" -i:FS -recurse:0
6、Print the 10 largest files on the C: drive:
LogParser "SELECT TOP 10 Path, Name, Size FROM C:\*.* ORDER BY Size DESC" -i:FS
7、获得本机登陆帐户的查看
LogParser.exe -o:nat "SELECT RESOLVE_SID(Sid) AS Account FROM Security WHERE EventID IN (540; 528)"
8、获得系统日志的分类详细信息
LogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSV
LogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSV
根据id分类
LogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSV
LogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSV
9、生成图形界面日志
LogParser "SELECT 'Event ID:', EventID, SYSTEM_TIMESTAMP(),message FROM security" -i:EVT -o:datagrid
10、生成一个Web页面
LogParser file:d:\EventLogs.sql?EventLog=security -o:TPL -tpl:d:\EventLogs.tpl
LogParser file:d:\EventLogs.sql?EventLog=system -o:TPL -tpl:d:\EventLogs.tpl
11、在iis日志里查看返回代码分布饼图
LogParser "SELECT sc-status, COUNT(*) AS Times INTO Chart.gif FROM iis.log GROUP BY sc-status ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"
12、在所有日志中手机前10位的排名
LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"
querytop.sql:
SELECT TOP 10 cs-uri-stem AS Url,
COUNT(*) AS Hits
INTO Urls.gif
FROM ex*.log
GROUP BY Url
ORDER BY Hits DESC
13、检索目录下所有文件的所有的信息
logparser "select * into a.csv from c:\x-scan\*.*" -i:fs -o:csv
查看每个源IP发了多少个包
LogParser "SELECT srcip ,count(*) into a.csv FROM a.cap group by srcip" -fmode:tcpip -o:csv
查看每个源端口的包的个数
LogParser "SELECT srcport ,count(*) into a.csv FROM a.cap group by srcport" -fmode:tcpip -o:csv
归并所有srcip,dstip,srcport一样的包,得到个数
LogParser "SELECT srcip,dstip,srcport ,count(*) into a.csv FROM a.cap group by srcip,dstip,srcport" -fmode:tcpip -o:csv
归并所有tcpflags的包
LogParser "SELECT srcip,srcport,dstip,dstport,tcpflags,count(*) into a.csv FROM a.cap where tcpflags='AF' group by srcip,srcport,dstip,dstport,tcpflags" -fmode:tcpip -o:csv
tcpflags的分布饼图
LogParser "SELECT tcpflags,count(*) into a.gif FROM a.cap group by tcpflags " -fmode:tcpip -chartType:PieExploded3D -chartTitle:"Status Codes"
LogParser "SELECT tcpflags,count(*) into a.csv FROM a.cap group by tcpflags " -fmode:tcpip -o:csv
使用示例
将安全日志导出 为 D:\Security.evtx文件
转换为.csv格式
logparser -i:evt -o:csv "select * from D:\Security.evtx" > d:sec.csv
LogParser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM D:\Security.evtx where EventID=4625"
看到次数
还有问题
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) AS Times,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM D:\Security.evtx where EventID=4625 GROUP BY Message"
没有达到下边这个效果
实际应用
1、查询登录成功的事件
登录成功的所有事件
LogParser.exe -i:EVT -o:DATAGRID "SELECT * FROM D:\Security.evtx where EventID=4624"
指定登录时间范围的事件:
LogParser.exe -i:EVT -o:DATAGRID "SELECT * FROM D:\Security.evtx where TimeGenerated>'2021-10-19 23:32:11' and TimeGenerated<'2021-11-19 23:34:00' and EventID=4624"
提取登录成功的用户名和IP:
LogParser.exe -i:EVT –o:DATAGRID "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM D:\Security.evtx where EventID=4624"
2、查询登录失败的事件
登录失败的所有事件:
LogParser.exe -i:EVT –o:DATAGRID "SELECT * FROM D:\Security.evtx where EventID=4625"
提取登录失败用户名进行聚合统计:
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) as Times,EXTRACT_TOKEN(Message,39,' ') as Loginip FROM D:\Security.evtx where EventID=4625 GROUP BY Message"
测试有问题
3、系统历史开关机记录:
LogParser.exe -i:EVT –o:DATAGRID "SELECT TimeGenerated,EventID,Message FROM D:\System.evtx where EventID=6005 or EventID=6006"
