中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Windows日志篩選

發布時間:2020-07-30 12:38:25 來源:網絡 閱讀:2180 作者:ikulin 欄目:系統運維

Windows日志篩選

因工作需求開啟文件系統審核,因Windows日志管理器并不方便篩選查閱,所以使用powershell方法進行篩選。

一、需求分析

  • 存在問題

    1. 日志量巨大(每天約1G)
    2. 日志管理器查詢日志不便

  • 主要目標

    1. 啟用文件系統審核
    2. 快捷查詢用戶的刪除操作
  • 解決方案
    1. 采用輪替方式歸檔日志(500MB)
    2. 日志存放60天(可用腳本刪除超過期限日志檔案)
    3. 使用Get-WinEvent中的FilterXPath過日志進行篩選,格式打印
    4. 刪除操作碼為0x10000,可對其進行篩選

二、文件審核設置

2.1 開啟文件系統審核功能

  1. secpol.msc
  2. Advanced Audit Policy Configuration
  3. Object Access
  4. Audit File System
    • [x] Configure the following audit events:
    • [x] Success
    • [x] Failure

2.2 建立共享文件夾

  1. Folder Properties
  2. Sharing
  3. Choose people to share with
  4. Everyone

2.3 設置文件夾審核的用戶組

  1. Folder Properties
  2. Security
  3. Advanced
  4. Auditing
  5. Add user

2.4 設置日志路徑及大小

  1. Event Viewer
  2. Windows Logs
  3. Security
  4. Log Properties
  5. Log Path: E:\FileLog\Security.evtx
  6. Maximum log size(KB): 512000
    • [x] Archive the log when full,do not overwrite events

三、方法

  • 篩選事件ID為4460日志
PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4660 Information      An object was deleted....
5/22/2018 9:03:11 AM          4660 Information      An object was deleted....
  • 篩選文件刪除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 篩選指定用戶文件刪除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 以變量方式篩選指定用戶文件刪除日志
PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 從保存的文件篩選文件刪除日志
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
  • 篩選10分鐘內發生的安全性日志
    XML中時間計算單位為ms,10minute=60 10 1000=600000
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
  • 其它篩選方法

若有語法不明之處,可參考日志管理器中篩選當前日志的XML方法。

  • 刪除超過60天的存檔日志并記錄
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {

if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){

Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt

} 
}

四、其它文件

  • 文件刪除日志結構
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/22/2018 9:03:11 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IDX-ST-05
Description:
An attempt was made to access an object.

Subject:
    Security ID:        IDX-ST-05\lxy
    Account Name:       lxy
    Account Domain:     IDX-ST-05
    Logon ID:       0x2ed3b8

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\Data\net.txt
    Handle ID:  0x444

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
    <EventRecordID>1514</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>IDX-ST-05</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
    <Data Name="SubjectUserName">lxy</Data>
    <Data Name="SubjectDomainName">IDX-ST-05</Data>
    <Data Name="SubjectLogonId">0x2ed3b8</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">C:\Data\net.txt</Data>
    <Data Name="HandleId">0x444</Data>
    <Data Name="AccessList">%%1537
                </Data>
    <Data Name="AccessMask">0x10000</Data>
    <Data Name="ProcessId">0x4</Data>
    <Data Name="ProcessName">
    </Data>
  </EventData>
</Event>
  • 文件操作碼表
File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2

File Delete
Accesses: DELETE
AccessMask: 0x10000

File Rename
Accesses: DELETE
AccessMask: 0x10000

File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000

File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000
向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

沾益县| 高安市| 卓资县| 北海市| 汉源县| 荔浦县| 龙山县| 镇宁| 田东县| 科尔| 招远市| 舟曲县| 射阳县| 都江堰市| 漯河市| 岑巩县| 连山| 永定县| 进贤县| 湖南省| 郧西县| 宣恩县| 湘乡市| 赤水市| 建水县| 江口县| 平乐县| 新昌县| 高雄县| 渭南市| 绥宁县| 沁源县| 金阳县| 缙云县| 临夏县| 诸暨市| 阿合奇县| 怀化市| 龙江县| 佛山市| 大关县|