Windows日志过滤器根据工作需要打开文件系统审核。 Windows日志管理器不容易过滤和浏览,因此使用powershell方法进行过滤。
一.需求分析存在问题
日志量巨大(每天约1G )日志管理器查询日志不方便主要目标
启用文件系统审核删除快速查询用户操作解决方案轮转方式归档日志(500MB日志保留60天)可以通过脚本删除过期的日志文件) 可筛选2、文件审核设置2.1文件系统审核功能secpol.mscadvancedauditpolicyconfigurationobjectaccessauditfilesystem [ x ] 打开的configurethefollowingauditevents : [ x ] success [ x ] Failure 2.2创建共享文件夹设置folderpropertiessharingchoosepeopletosharewitheveryone 2.3文件夹审核的用户组folderpropertiessecurityadvanced 设置日志路径和大小eventviewerwindowslogssecuritylogpropertieslogpath :filelogsecurity.evtxmaximumlogsize (kb ) 333330 do not overwrite events三, 方法http://www.Sina.com system32 get-win event-logname security-filter XPath ' * [ system [ event id=4660 ] ] ' providername : Microsoft-windows-security-auditingtimecreatedidleveldisplaynamemessage---------- windows--安全保护ionanobjectwasdeleted .5/22/2018933600:11 am 4660 informationanobjectwasdeleted . http://ww.Sina.com/PSC 33336660 system32 get-win event-logname ' security '-filter XPath ' * [ event data [ @ name=' access mask ' ]='0x 10000 ' ' providername : Microsoft-windows-security-auditingtimecreatedidleveldisplaynamemessage---------- windows--安全保护onanattemptwasmadetoaccessanobject .5/22/2018933600336011 am 4663 informationanattemptwasmadetoaccessanobject . 33http://system32 get-win event-logname ' security '-filter XPath ' * [ event data [ @ name=' access mask ' ]='0x 10000 '=' lxxx ' providername : Microsoft-windows-security-auditingtimecreatedidleveldisplaynamemessage-----20189336003:0
dowssystem32> $AccessMask='0x10000'PS C:Windowssystem32> $UserName='lxy'PS C:Windowssystem32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 9:03:11 AM 4663 Information An attempt was made to access an object.... 从保存的文件筛选文件删除日志 PS C:UsersF2844290> Get-WinEvent -Path 'C:UsersF2844290DesktopSaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"PS C:Windowssystem32> $AccessMask='0x10000' 筛选10分钟内发生的安全性日志XML中时间计算单位为ms,10minute=60 10 1000=600000 PS C:Windowssystem32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]" ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object....5/22/2018 4:11:30 PM 4663 Information An attempt was made to access an object.... 其它筛选方法
若有语法不明之处,可参考日志管理器中筛选当前日志的XML方法。
删除超过60天的存档日志并记录 Get-ChildItem E:FileLogArchive-Security-* | Where-Object {if(( (get-date) - $_.CreationTime).TotalDays -gt 60 ){Remove-Item $_.FullName -ForceWrite-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:RoMove-Archive-Logs.txt} } 四、其它文件 文件删除日志结构 Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 5/22/2018 9:03:11 AMEvent ID: 4663Task Category: File SystemLevel: InformationKeywords: Audit SuccessUser: N/AComputer: IDX-ST-05Description:An attempt was made to access an object.Subject: Security ID: IDX-ST-05lxy Account Name: lxy Account Domain: IDX-ST-05 Logon ID: 0x2ed3b8Object: Object Server: Security Object Type: File Object Name: C:Datanet.txt Handle ID: 0x444Process Information: Process ID: 0x4 Process Name: Access Request Information: Accesses: DELETE Access Mask: 0x10000Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4663</EventID> <Version>0</Version> <Level>0</Level> <Task>12800</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" /> <EventRecordID>1514</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="72" /> <Channel>Security</Channel> <Computer>IDX-ST-05</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data> <Data Name="SubjectUserName">lxy</Data> <Data Name="SubjectDomainName">IDX-ST-05</Data> <Data Name="SubjectLogonId">0x2ed3b8</Data> <Data Name="ObjectServer">Security</Data> <Data Name="ObjectType">File</Data> <Data Name="ObjectName">C:Datanet.txt</Data> <Data Name="HandleId">0x444</Data> <Data Name="AccessList">%%1537 </Data> <Data Name="AccessMask">0x10000</Data> <Data Name="ProcessId">0x4</Data> <Data Name="ProcessName"> </Data> </EventData></Event> 文件操作码表 File ReadAccesses: ReadData (or ListDirectory)AccessMask: 0x1File WriteAccesses: WriteData (or AddFile)AccessMask: 0x2File DeleteAccesses: DELETEAccessMask: 0x10000File RenameAccesses: DELETEAccessMask: 0x10000File CopyAccesses: ReadData (or ListDirectory)AccessMask: 0x1File Permissions ChangeAccesses: WRITE_DACAccessMask: 0x40000File Ownership ChangeAccesses: WRITE_OWNERAccessMask: 0x80000转载于:https://blog.51cto.com/linxy/2119150