Shulou(Shulou.com)06/03 Report--

Background

I often need to check logs, not only to sort out errors, but sometimes I also need a monitoring system to grab specific logs to help reduce my workload, to monitor anomalies in time, and to make notifications and responses. then it is a necessary skill to quickly and accurately filter out the desired logs from a large number of logs and extract information accurately. I used to filter events with the filter of the built-in event viewer, and then save the view, or use powershell get-winevent for filtering, or logparser, or third-party log viewing tools such as eventexplorer for log filtering. But there are always a few major problems:

Very few logs are filtered out from a large number of logs, and the events executed each time are always too long.

Cannot be screened flexibly or more accurately. Generally speaking, you can only make a rough match, and then do one more step of processing. We usually encounter the problem of 1 again.

Try and compare

After some attempts and use, I feel that powershell's get-winevent is the most convenient, because after all, it is a scripting language that can be further processed and can be handled very flexibly. Logparser is fast, but it is not so easy to extract the fields of some logs precisely. The data in the EventData of windows logs is complex and diverse, and there is no way to deal with it flexibly with a few regular fields.

In terms of speed, except for logparser, using xml filtering is the fastest. But xml filtering requires the use of complex, limited xpath 1.0s (with more restrictions when implemented by Microsoft), which is a bit lame and difficult to understand, but it is easy to make sense of time savings, especially repetitive tasks.

A good start is to start with the link below.

Https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/

Formal practice

One of the more common scenarios is that I often need to filter precisely which account was recently locked, which computer was locked, and when. I need to be able to access the lock log very quickly. In the past, although I could do this with get-winevent-filterhashtable, the speed was too slow, even though I only had four domain controllers. I often tell users that if you want to know which computer you are locked on, please wait a while and I will email you the results of the query. But now when I use xpath filtering, I can basically tell a user this information when he or she calls.

The following XML filters the lock log for a user name on the most recent day in the AD security log

* [System [EventID=4740 and TimeCreated [timediff (@ SystemTime) [cmdletbinding ()] param ([parameter (Mandatory=$false)] [string] $loginname, [Parameter (Mandatory=$false)] [switch] $summary [Parameter (Mandatory=$false)] [switch] $show) # filter Locked Events generated in 1 day and username eq loginname $f2chocolate'* [System [EventID=4740 and TimeCreated [timediff (@ SystemTime)]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.