Windows日志筛选

Windows日志筛选

因工作需求开启文件系统审核，因Windows日志管理器并不方便筛选查阅，所以使用powershell方法进行筛选。

一、需求分析

• 存在问题

  1. 日志量巨大（每天约1G）
  2. 日志管理器查询日志不便

• 主要目标

  1. 启用文件系统审核
  2. 快捷查询用户的删除操作
• 解决方案
  1. 采用轮替方式归档日志（500MB）
  2. 日志存放60天（可用脚本删除超过期限日志档案）
  3. 使用Get-WinEvent中的FilterXPath过日志进行筛选，格式打印
  4. 删除操作码为0x10000，可对其进行筛选

二、文件审核设置

2.1 开启文件系统审核功能

1. secpol.msc
2. Advanced Audit Policy Configuration
3. Object Access
4. Audit File System
   • [x] Configure the following audit events:
   • [x] Success
   • [x] Failure

2.2 建立共享文件夹

1. Folder Properties
2. Sharing
3. Choose people to share with
4. Everyone

2.3 设置文件夹审核的用户组

1. Folder Properties
2. Security
3. Advanced
4. Auditing
5. Add user

2.4 设置日志路径及大小

1. Event Viewer
2. Windows Logs
3. Security
4. Log Properties
5. Log Path: E:\FileLog\Security.evtx
6. Maximum log size(KB): 512000
7. • [x] Archive the log when full,do not overwrite events

三、方法

• 筛选事件ID为4460日志

PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 10:01:37 AM         4660 Information      An object was deleted....5/22/2018 9:03:11 AM          4660 Information      An object was deleted....

• 筛选文件删除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 筛选指定用户文件删除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 以变量方式筛选指定用户文件删除日志

PS C:\Windows\system32> $AccessMask='0x10000'PS C:\Windows\system32> $UserName='lxy'PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 从保存的文件筛选文件删除日志

PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'

• 筛选10分钟内发生的安全性日志
  XML中时间计算单位为ms，10minute=60 10 1000=600000

PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"   ProviderName: Microsoft-Windows-Security-AuditingTimeCreated                     Id LevelDisplayName Message-----------                     -- ---------------- -------5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....

• 其它筛选方法

若有语法不明之处，可参考日志管理器中筛选当前日志的XML方法。

• 删除超过60天的存档日志并记录

Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){Remove-Item $_.FullName -ForceWrite-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt} }

四、其它文件

• 文件删除日志结构

Log Name:      SecuritySource:        Microsoft-Windows-Security-AuditingDate:          5/22/2018 9:03:11 AMEvent ID:      4663Task Category: File SystemLevel:         InformationKeywords:      Audit SuccessUser:          N/AComputer:      IDX-ST-05Description:An attempt was made to access an object.Subject:    Security ID:        IDX-ST-05\lxy    Account Name:       lxy    Account Domain:     IDX-ST-05    Logon ID:       0x2ed3b8Object:    Object Server:  Security    Object Type:    File    Object Name:    C:\Data\net.txt    Handle ID:  0x444Process Information:    Process ID: 0x4    Process Name:   Access Request Information:    Accesses:   DELETE    Access Mask:    0x10000Event Xml:          4663    0    0    12800    0    0x8020000000000000        1514            Security    IDX-ST-05            S-1-5-21-1815651738-4066643265-3072818021-1004    lxy    IDX-ST-05    0x2ed3b8    Security    File    C:\Data\net.txt    0x444    %37                    0x10000    0x4          

• 文件操作码表

File ReadAccesses: ReadData (or ListDirectory)AccessMask: 0x1File WriteAccesses: WriteData (or AddFile)AccessMask: 0x2File DeleteAccesses: DELETEAccessMask: 0x10000File RenameAccesses: DELETEAccessMask: 0x10000File CopyAccesses: ReadData (or ListDirectory)AccessMask: 0x1File Permissions ChangeAccesses: WRITE_DACAccessMask: 0x40000File Ownership ChangeAccesses: WRITE_OWNERAccessMask: 0x80000