Sabtu, 02 Juli 2011

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

To list Opcodes, Event IDs, Event Descriptions from any group of provider's (e.g. Securit*) events, you can use:

$ProviderNames=get-winevent -listprovider microsoft-windows-Securit* | % {$_.Name}
$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description -auto -wrap}


To create a list of EventIDs from the Security Log for which want more information, we could download  "Windows 7 and Windows Server 2008 R2 Security Event Descriptions"   or we could select the string log from our provider query:

$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description | findstr "win:"} | out-file  SecurityIDs.txt
Select-string "log" -path SecurityIDs.txt | ft -auto Line

           4611 A trusted logon process has been registered with the Local ...
           4624 An account was successfully logged on....
           4625 An account failed to log on....
           4634 An account was logged off....
           4647 User initiated logoff:...
           4648 A logon was attempted using explicit credentials....
           4672 Special privileges assigned to new logon....
           4774 An account was mapped for logon....
           4775 An account could not be mapped for logon....
           4908 Special Groups Logon table modified....
           4964 Special groups have been assigned to a new logon....

Now we query all of our particular IDs in question using the search list for findstr below:

$LogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
foreach ($item in $LogonIDs) {(Get-WinEvent -max 100 -FilterHashtable @{Logname='security';Id=$item} | Select TimeCreated,Message | fl * | findstr /G:search.lst) -replace"  "," " | out-file -append "$item.txt" }

where search.lst :

TimeCreated
Security ID:
Account Name:
Account Domain:
Logon ID:
Logon Type:
Logon GUID:
Process Name:

This gives us some hits for the EventID numbers in separate files which contain entries that look like this:

PS C:\ps1> more 4624.txt
TimeCreated : 7/2/2011 7:25:59 PM
                  Security ID:        S-1-5-18
                  Account Name:        RMFVPC$
                  Account Domain:        RMFDEVELOPMENT
                  Logon ID:        0x3e7
              Logon Type:            5
                  Security ID:        S-1-5-18
                  Account Name:        SYSTEM
                  Account Domain:        NT AUTHORITY
                  Logon ID:        0x3e7
                  Logon GUID:        {00000000-0000-0000-0000-000000000000}
                  Process Name:        C:\Windows\System32\services.exe
....
But this type of query isn't very fast. So we can tuck our array of events inside a '-FilterHashtable' array and then query the message field with 'findstr':

$LogonIDs="4611","4624","4625","4634","4647","4648","4672","4774","4775","4908","4964"
$MultipleIDLogEntries=Get-WinEvent -max 100 -FilterHashtable @{Logname='security';Id=@($LogonIDs)}
($MultipleIDLogEntries | Select TimeCreated,Message | fl * | findstr /G:search.lst) -replace" "," " | out-file -append Events_all.txt

This output also contain entries that look like this:

PS C:\ps1> more Events_all.txt
TimeCreated : 7/2/2011 7:25:59 PM
                  Security ID:        S-1-5-18
                  Account Name:        SYSTEM
                  Account Domain:        NT AUTHORITY
                  Logon ID:        0x3e7
TimeCreated : 7/2/2011 7:25:59 PM
                  Security ID:        S-1-5-18
                  Account Name:        RMFVPC$
                  Account Domain:        RMFDEVELOPMENT
                  Logon ID:        0x3e7
              Logon Type:            5
                  Security ID:        S-1-5-18
                  Account Name:        SYSTEM
                  Account Domain:        NT AUTHORITY
                  Logon ID:        0x3e7
                  Logon GUID:        {00000000-0000-0000-0000-000000000000}
                  Process Name:        C:\Windows\System32\services.exe

But what we really need is a way to parse this output into a csv... so on to  Get-Winevent Part III: Querying the Event Log for Logons (Part D)

0 komentar:

Posting Komentar