Windows日志筛选

因工作需求开启文件系统审核，因Windows日志管理器并不方便筛选查阅，所以使用powershell方法进行筛选。

公司主营业务：网站建设、成都网站制作、移动网站开发等业务。帮助企业客户真正实现互联网宣传，提高企业的竞争能力。成都创新互联是一支青春激扬、勤奋敬业、活力青春激扬、勤奋敬业、活力澎湃、和谐高效的团队。公司秉承以“开放、自由、严谨、自律”为核心的企业文化，感谢他们对我们的高要求，感谢他们从不同领域给我们带来的挑战，让我们激情的团队有机会用头脑与智慧不断的给客户带来惊喜。成都创新互联推出江州免费做网站回馈大家。

一、需求分析

• 存在问题

  1. 日志量巨大（每天约1G）
  2. 日志管理器查询日志不便

• 主要目标

  1. 启用文件系统审核
  2. 快捷查询用户的删除操作
• 解决方案
  1. 采用轮替方式归档日志（500MB）
  2. 日志存放60天（可用脚本删除超过期限日志档案）
  3. 使用Get-WinEvent中的FilterXPath过日志进行筛选，格式打印
  4. 删除操作码为0x10000，可对其进行筛选

二、文件审核设置

2.1 开启文件系统审核功能

1. secpol.msc
2. Advanced Audit Policy Configuration
3. Object Access
4. Audit File System
   • [x] Configure the following audit events:
   • [x] Success
   • [x] Failure

2.2 建立共享文件夹

1. Folder Properties
2. Sharing
3. Choose people to share with
4. Everyone

2.3 设置文件夹审核的用户组

1. Folder Properties
2. Security
3. Advanced
4. Auditing
5. Add user

2.4 设置日志路径及大小

1. Event Viewer
2. Windows Logs
3. Security
4. Log Properties
5. Log Path: E:\FileLog\Security.evtx
6. Maximum log size(KB): 512000
7. • [x] Archive the log when full,do not overwrite events

三、方法

• 筛选事件ID为4460日志

PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4660 Information      An object was deleted....
5/22/2018 9:03:11 AM          4660 Information      An object was deleted....

• 筛选文件删除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 筛选指定用户文件删除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 以变量方式筛选指定用户文件删除日志

PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 从保存的文件筛选文件删除日志

PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'

• 筛选10分钟内发生的安全性日志
  XML中时间计算单位为ms，10minute=60 10 1000=600000

PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....

• 其它筛选方法

若有语法不明之处，可参考日志管理器中筛选当前日志的XML方法。

• 删除超过60天的存档日志并记录

Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {

if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){

Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt

} 
}

四、其它文件

• 文件删除日志结构

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/22/2018 9:03:11 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IDX-ST-05
Description:
An attempt was made to access an object.

Subject:
    Security ID:        IDX-ST-05\lxy
    Account Name:       lxy
    Account Domain:     IDX-ST-05
    Logon ID:       0x2ed3b8

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\Data\net.txt
    Handle ID:  0x444

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
Event Xml:

  
    
    4663
    0
    0
    12800
    0
    0x8020000000000000
    
    1514
    
    
    Security
    IDX-ST-05
    
  
  
    S-1-5-21-1815651738-4066643265-3072818021-1004
    lxy
    IDX-ST-05
    0x2ed3b8
    Security
    File
    C:\Data\net.txt
    0x444
    %%1537
                
    0x10000
    0x4
    
    
  

• 文件操作码表

File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2

File Delete
Accesses: DELETE
AccessMask: 0x10000

File Rename
Accesses: DELETE
AccessMask: 0x10000

File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000

File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000

另外有需要云服务器可以了解下创新互联scvps.cn，海内外云服务器15元起步，三天无理由+7*72小时售后在线，公司持有idc许可证，提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案，具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势，专为企业上云打造定制，能够满足用户丰富、多元化的应用场景需求。

当前题目：Windows日志筛选-创新互联
网站URL：http://www.scyingshan.cn/article/diidgi.html