Windows日志篩選

Windows日志篩選

因工作需求開啟文件系統審核，因Windows日志管理器并不方便篩選查閱，所以使用powershell方法進行篩選。

一、需求分析

• 存在問題

  1. 日志量巨大（每天約1G）
  2. 日志管理器查詢日志不便

• 主要目標

  1. 啟用文件系統審核
  2. 快捷查詢用戶的刪除操作
• 解決方案
  1. 采用輪替方式歸檔日志（500MB）
  2. 日志存放60天（可用腳本刪除超過期限日志檔案）
  3. 使用Get-WinEvent中的FilterXPath過日志進行篩選，格式打印
  4. 刪除操作碼為0x10000，可對其進行篩選

二、文件審核設置

2.1 開啟文件系統審核功能

1. secpol.msc
2. Advanced Audit Policy Configuration
3. Object Access
4. Audit File System
   • [x] Configure the following audit events:
   • [x] Success
   • [x] Failure

2.2 建立共享文件夾

1. Folder Properties
2. Sharing
3. Choose people to share with
4. Everyone

2.3 設置文件夾審核的用戶組

1. Folder Properties
2. Security
3. Advanced
4. Auditing
5. Add user

2.4 設置日志路徑及大小

1. Event Viewer
2. Windows Logs
3. Security
4. Log Properties
5. Log Path: E:\FileLog\Security.evtx
6. Maximum log size(KB): 512000
7. • [x] Archive the log when full,do not overwrite events

三、方法

• 篩選事件ID為4460日志

PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4660 Information      An object was deleted....
5/22/2018 9:03:11 AM          4660 Information      An object was deleted....

• 篩選文件刪除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 篩選指定用戶文件刪除日志

PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 以變量方式篩選指定用戶文件刪除日志

PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....

• 從保存的文件篩選文件刪除日志

PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'

• 篩選10分鐘內發生的安全性日志
  XML中時間計算單位為ms，10minute=60 10 1000=600000

PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....

• 其它篩選方法

若有語法不明之處，可參考日志管理器中篩選當前日志的XML方法。

• 刪除超過60天的存檔日志并記錄

Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {

if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){

Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt

} 
}

四、其它文件

• 文件刪除日志結構

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/22/2018 9:03:11 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IDX-ST-05
Description:
An attempt was made to access an object.

Subject:
    Security ID:        IDX-ST-05\lxy
    Account Name:       lxy
    Account Domain:     IDX-ST-05
    Logon ID:       0x2ed3b8

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\Data\net.txt
    Handle ID:  0x444

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
    <EventRecordID>1514</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>IDX-ST-05</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
    <Data Name="SubjectUserName">lxy</Data>
    <Data Name="SubjectDomainName">IDX-ST-05</Data>
    <Data Name="SubjectLogonId">0x2ed3b8</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">C:\Data\net.txt</Data>
    <Data Name="HandleId">0x444</Data>
    <Data Name="AccessList">%%1537
                </Data>
    <Data Name="AccessMask">0x10000</Data>
    <Data Name="ProcessId">0x4</Data>
    <Data Name="ProcessName">
    </Data>
  </EventData>
</Event>

• 文件操作碼表

File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2

File Delete
Accesses: DELETE
AccessMask: 0x10000

File Rename
Accesses: DELETE
AccessMask: 0x10000

File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000

File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000