Shulou(Shulou.com)06/02 Report--

Windows log filtering

File system auditing is enabled due to work requirements, and the Windows log manager is not convenient for filtering, so the powershell method is used for filtering.

I. demand analysis

There are problems

Huge log volume (about 1G per day) it is inconvenient for the log manager to query the log

Main goal

Enable file system audit shortcut query user delete operation solution use rotation archive log (500MB) log storage for 60 days (script is available to delete expired log files) use FilterXPath in Get-WinEvent to filter, format print delete operation code is 0x10000 It can be filtered 2. File audit settings 2.1 enable the file system audit function secpol.mscAdvanced Audit Policy ConfigurationObject AccessAudit File System [x] Configure the following audit events: [x] Success [x] Failure2.2 to establish a shared folder Folder PropertiesSharingChoose people to share withEveryone2.3 settings folder audit user group Folder PropertiesSecurityAdvancedAuditingAdd user2.4 sets the log path and size Event ViewerWindows LogsSecurityLog PropertiesLog Path: e:\ FileLog\ Security.evtxMaximum log size (KB): 512000 [x] Archive the log when full Do not overwrite events III. Methods the event ID was screened as 4460 log PS C:\ Windows\ system32 > Get-WinEvent-LogName Security- FilterXPath "* [System [EventID=4660]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message- 5Gram22 Windows, 2018 10:01:37 AM 4660 Information An object was deleted....5/22/2018 9:03:11 AM 4660 Information An object was deleted.... Filter file delete log PS C:\ Windows\ system32 > Get-WinEvent-LogName "Security"-FilterXPath "* [EventData [Data [@ Name='AccessMask'] = '0x10000']]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message- 5 / 22/2018 10:01:37 AM 4663 Information An attempt was made to access an object....5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object.... Filter specified user file deletion log PS C:\ Windows\ system32 > Get-WinEvent-LogName "Security"-FilterXPath "* [EventData [Data [@ Name='AccessMask'] = '0x10000']] and * [EventData [Data [@ Name='SubjectUserName'] =' lxy']]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message -- 5Applink 22 AM 2018 9:03:11 AM 4663 Information An attempt was made to access an object.... Filter the specified user file deletion log PS C:\ Windows\ system32 > $AccessMask='0x10000'PS C:\ Windows\ system32 > $UserName='lxy'PS C:\ Windows\ system32 > Get-WinEvent-LogName "Security"-FilterXPath "* EventData [Data [@ Name='AccessMask'] ='$AccessMask']] and * [EventData [Data [@ Name='SubjectUserName'] ='$UserName']" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message-] -5gamma 22 AM 9:03:11 2018 Information An attempt was made to access an object.... 4663 Delete the log from the saved file filter file PS C:\ Users\ F2844290 > Get-WinEvent-Path'C:\ Users\ F2844290\ Desktop\ SaveSec.evtx'-FilterXPath "* [EventData [Data [@ Name='AccessMask'] = '0x10000']]" PS C:\ Windows\ system32 > $AccessMask='0x10000' filter the security logs that occur within 10 minutes

The unit of time calculation in XML is ms,10minute=60 10 1000=600000PS C:\ Windows\ system32 > Get-WinEvent-LogName Security-FilterXPath "* [system [TimeCreate [timediff (@ SystemTime)]

< 600000]]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....其它筛选方法 若有语法不明之处，可参考日志管理器中筛选当前日志的XML方法。 删除超过60天的存档日志并记录Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object {if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){Remove-Item $_.FullName -ForceWrite-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >

> D:\ RoMove-Archive-Logs.txt}} IV Other file deletion log structure Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 5Universe 9:03:11 2018 9:03:11 AMEvent ID: 4663Task Category: File SystemLevel: InformationKeywords: Audit SuccessUser: N/AComputer: IDX-ST-05Description:An attempt was made to access an object.Subject: Security ID: IDX-ST-05\ lxy Account Name: Lxy Account Domain: IDX-ST-05 Logon ID: 0x2ed3b8Object: Object Server: Security Object Type: File Object Name: C:\ Data\ net.txt Handle ID: 0x444Process Information: Process ID: 0x4 Process Name: Access Request Information: Accesses: DELETE Access Mask: 0x10000Event Xml: 4663 00 12800 0 0x8020000000000000 1514 Security IDX-ST -05 Smurf 1-5-21-1815651738-4066643265-3072818021-1004 lxy IDX-ST-05 0x2ed3b8 Security File C:\ Data\ net.txt 0x444% 37 0x10000 0x4 File Operation Code Table File ReadAccesses: ReadData (or ListDirectory) AccessMask: 0x1File WriteAccesses: WriteData (or AddFile) AccessMask: 0x2File DeleteAccesses: DELETEAccessMask: 0x10000File RenameAccesses: DELETEAccessMask: 0x10000File CopyAccesses: ReadData (or ListDirectory) AccessMask: 0x1File Permissions ChangeAccesses: WRITE_DACAccessMask: 0x40000File Ownership ChangeAccesses: WRITE_OWNERAccessMask: 0x80000

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.