亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Windows日志篩選

發布時間:2020-07-30 12:38:25 來源:網絡 閱讀:2180 作者:ikulin 欄目:系統運維

Windows日志篩選

因工作需求開啟文件系統審核,因Windows日志管理器并不方便篩選查閱,所以使用powershell方法進行篩選。

一、需求分析

  • 存在問題

    1. 日志量巨大(每天約1G)
    2. 日志管理器查詢日志不便

  • 主要目標

    1. 啟用文件系統審核
    2. 快捷查詢用戶的刪除操作
  • 解決方案
    1. 采用輪替方式歸檔日志(500MB)
    2. 日志存放60天(可用腳本刪除超過期限日志檔案)
    3. 使用Get-WinEvent中的FilterXPath過日志進行篩選,格式打印
    4. 刪除操作碼為0x10000,可對其進行篩選

二、文件審核設置

2.1 開啟文件系統審核功能

  1. secpol.msc
  2. Advanced Audit Policy Configuration
  3. Object Access
  4. Audit File System
    • [x] Configure the following audit events:
    • [x] Success
    • [x] Failure

2.2 建立共享文件夾

  1. Folder Properties
  2. Sharing
  3. Choose people to share with
  4. Everyone

2.3 設置文件夾審核的用戶組

  1. Folder Properties
  2. Security
  3. Advanced
  4. Auditing
  5. Add user

2.4 設置日志路徑及大小

  1. Event Viewer
  2. Windows Logs
  3. Security
  4. Log Properties
  5. Log Path: E:\FileLog\Security.evtx
  6. Maximum log size(KB): 512000
    • [x] Archive the log when full,do not overwrite events

三、方法

  • 篩選事件ID為4460日志
PS C:\Windows\system32>  Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4660]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4660 Information      An object was deleted....
5/22/2018 9:03:11 AM          4660 Information      An object was deleted....
  • 篩選文件刪除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 10:01:37 AM         4663 Information      An attempt was made to access an object....
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 篩選指定用戶文件刪除日志
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='0x10000']] and *[EventData[Data[@Name='SubjectUserName']='lxy']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 以變量方式篩選指定用戶文件刪除日志
PS C:\Windows\system32> $AccessMask='0x10000'
PS C:\Windows\system32> $UserName='lxy'
PS C:\Windows\system32> Get-WinEvent -LogName "Security" -FilterXPath "*[EventData[Data[@Name='AccessMask']='$AccessMask']] and *[EventData[Data[@Name='SubjectUserName']='$UserName']]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 9:03:11 AM          4663 Information      An attempt was made to access an object....
  • 從保存的文件篩選文件刪除日志
PS C:\Users\F2844290> Get-WinEvent -Path 'C:\Users\F2844290\Desktop\SaveSec.evtx' -FilterXPath "*[EventData[Data[@Name='
AccessMask']='0x10000']]"PS C:\Windows\system32> $AccessMask='0x10000'
  • 篩選10分鐘內發生的安全性日志
    XML中時間計算單位為ms,10minute=60 10 1000=600000
PS C:\Windows\system32> Get-WinEvent -LogName Security -FilterXPath "*[System[TimeCreated[timediff(@SystemTime) < 600000]]]"

   ProviderName: Microsoft-Windows-Security-Auditing

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
5/22/2018 4:11:30 PM          4663 Information      An attempt was made to access an object....
  • 其它篩選方法

若有語法不明之處,可參考日志管理器中篩選當前日志的XML方法。

  • 刪除超過60天的存檔日志并記錄
Get-ChildItem E:\FileLog\Archive-Security-* | Where-Object  {

if(( (get-date) -  $_.CreationTime).TotalDays -gt 60 ){

Remove-Item $_.FullName -Force
Write-Output "$(Get-Date -UFormat "%Y/%m%d")`t$_.Name" >>D:\RoMove-Archive-Logs.txt

} 
}

四、其它文件

  • 文件刪除日志結構
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/22/2018 9:03:11 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IDX-ST-05
Description:
An attempt was made to access an object.

Subject:
    Security ID:        IDX-ST-05\lxy
    Account Name:       lxy
    Account Domain:     IDX-ST-05
    Logon ID:       0x2ed3b8

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\Data\net.txt
    Handle ID:  0x444

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   DELETE

    Access Mask:    0x10000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12800</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-05-22T01:03:11.876720000Z" />
    <EventRecordID>1514</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="72" />
    <Channel>Security</Channel>
    <Computer>IDX-ST-05</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1815651738-4066643265-3072818021-1004</Data>
    <Data Name="SubjectUserName">lxy</Data>
    <Data Name="SubjectDomainName">IDX-ST-05</Data>
    <Data Name="SubjectLogonId">0x2ed3b8</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="ObjectType">File</Data>
    <Data Name="ObjectName">C:\Data\net.txt</Data>
    <Data Name="HandleId">0x444</Data>
    <Data Name="AccessList">%%1537
                </Data>
    <Data Name="AccessMask">0x10000</Data>
    <Data Name="ProcessId">0x4</Data>
    <Data Name="ProcessName">
    </Data>
  </EventData>
</Event>
  • 文件操作碼表
File Read
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Write
Accesses: WriteData (or AddFile)
AccessMask: 0x2

File Delete
Accesses: DELETE
AccessMask: 0x10000

File Rename
Accesses: DELETE
AccessMask: 0x10000

File Copy
Accesses: ReadData (or ListDirectory)
AccessMask: 0x1

File Permissions Change
Accesses: WRITE_DAC
AccessMask: 0x40000

File Ownership Change
Accesses: WRITE_OWNER
AccessMask: 0x80000
向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

邢台市| 河间市| 隆子县| 福安市| 定兴县| 崇礼县| 南通市| 保定市| 焉耆| 锡林浩特市| 宾川县| 黄大仙区| 太仆寺旗| 凤台县| 绍兴县| 象山县| 图片| 大渡口区| 安图县| 桃园市| 武夷山市| 昌都县| 安新县| 巴青县| 海林市| 连平县| 大余县| 贵港市| 商丘市| 陕西省| 山丹县| 安乡县| 临澧县| 东明县| 信宜市| 新乡市| 诏安县| 二手房| 安图县| 上高县| 汉沽区|