次の方法で共有


LogParser and Powershell- LOGPOWER

I was going through my last post, where I have shared log parser queries to analyze data using log parser tool. Good news is ,if you are familiar with power shell then life becomes even more exciting and easy ,so all the  queries I have shown there you can use them with power shell as below

Pre-requisites following wont make much sense if you haven't gone through my previous post on logparser, so before you proceed any further, I recommend you to read that post first.

You can see I have a function below, where you can pass input file path along with file name, output file  path and file name where you want to store the output or result. You also pass on the event id as parameter here as well as the logon type. Following example is for event id's 4624 and 4625.

You can build your Log_queries as below  and automate this process. Why following example is only for 4624 and 4625, because you will notice the string field values vary for each event id, so the extract token for other event values may give you different values for different positions within the string field of the event. I have even notice variations in 4624 and 4625 positions in the string field.

Again, following is an example to show case that you can change the Log_query variable as per the event id. I have also given function call example below to explain how you can call this function with different values.


function log_power($inFilePath,$outFilePath,$eventid,$logontype)

{

$Log_query= @"

SELECT distinct extract_token(strings, 5, '|') AS account,extract_token(strings, 8, '|') AS logontype,extract_token(strings,18, '|') as source_ip,extract_token(strings, 11, '|') as computer,Timegenerated as Time INTO $outFilePath

FROM $inFilePath where EventId = $eventid and extract_token(strings, 8, '|')= '$logontype'

"@

& C:\Logparser\Logparser.exe $Log_query -i:evt -o:csv

}

log_power -inFilePath 'drive:\pathofLogs\security.evt' -outFilePath 'drive:\pathofLogs\outputfile.csv' -eventid 4624 -logontype 3


so after you make the function call log parser will put the parsed output at the outfile location. If needed I can add Log_query string for other event ids ,if I see that users are not able to use the Log_query variable with strings field effectively.

In my upcoming posts I will also share few Power shell utilities and tools I have created to ease the work a little bit. Meanwhile play with above if you haven't done this before.

Have fun with this new combination.

Reference : I thought of sharing the string positions for 4625 and 4624 below , which will help in building the queries to get the precise information

String position information for 4625 event


String Position What it gives us
3 Account SID
5 Account
10 Logon type e.g. 3 for network logon
11 Security support provider/auth provider e.g . NtLmSsp
12 Auth Method e.g. NTLM
18 Process name
19 Source IP

 

String position information for 4624 event


String Position What it gives us
4 Account SID
5 Account
6 Domain
8 Logon type e.g. 3 for network logon
10 Auth Method
11 computer name
17 Process name
18 Source IP

I will also add String positions for other events either here or in new post.

String Position for event ID 4648 : event that's generated when explicit credentials are used.


String Position What it gives us
2 base account
3 base domain
6 explicit account
7 explicit domain
9 target server
11 Process name