Logparser日志分析
<h4>Logparser</h4>
<p><em>基本查询结构
Logparser.exe –i:EVT –o:DATAGRID "SELECT </em> FROM c:\xx.evtx"
使用Log Parser分析日志</p>
<h4>1、查询登录成功的事件</h4>
<p>登录成功的所有事件
LogParser.exe -i:EVT –o:DATAGRID "SELECT <em> FROM c:\Security.evtx where EventID=4624" </em></p>
<p>指定登录时间范围的事件:
LogParser.exe -i:EVT –o:DATAGRID "SELECT * FROM c:\Security.evtx where TimeGenerated>'201806-19 23:32:11' and TimeGenerated<'2018-06-20 23:34:00' and EventID=4624" </p>
<p>提取登录成功的用户名和IP:
LogParser.exe -i:EVT –o:DATAGRID "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM c:\Security.evtx where EventID=4624" </p>
<p>2、查询登录失败的事件
登录失败的所有事件:
LogParser.exe -i:EVT –o:DATAGRID "SELECT * FROM c:\Security.evtx where EventID=4625" </p>
<p>提取登录失败用户名进行聚合统计:
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) as Times,EXTRACT_TOKEN(Message,39,' ') as Loginip FROM c:\Security.evtx where EventID=4625 GROUP BY Message" </p>
<p>3、系统历史开关机记录:
LogParser.exe -i:EVT –o:DATAGRID "SELECT TimeGenerated,EventID,Message FROM c:\System.evtx where EventID=6005 or EventID=6006" 欢迎使用ShowDoc!</p>