Logparser日志分析

Logparser

基本查询结构
Logparser.exe –i:EVT –o:DATAGRID “SELECT
FROM c:\xx.evtx”
使用Log Parser分析日志

1、查询登录成功的事件

登录成功的所有事件
LogParser.exe -i:EVT –o:DATAGRID “SELECT FROM c:\Security.evtx where EventID=4624”

指定登录时间范围的事件:
LogParser.exe -i:EVT –o:DATAGRID “SELECT * FROM c:\Security.evtx where TimeGenerated>’201806-19 23:32:11’ and TimeGenerated<’2018-06-20 23:34:00’ and EventID=4624”

提取登录成功的用户名和IP:
LogParser.exe -i:EVT –o:DATAGRID “SELECT EXTRACT_TOKEN(Message,13,’ ‘) as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,’|’) as Username,EXTRACT_TOKEN(Message,38,’ ‘) as Loginip FROM c:\Security.evtx where EventID=4624”

2、查询登录失败的事件
登录失败的所有事件:
LogParser.exe -i:EVT –o:DATAGRID “SELECT * FROM c:\Security.evtx where EventID=4625”

提取登录失败用户名进行聚合统计:
LogParser.exe -i:EVT “SELECT EXTRACT_TOKEN(Message,13,’ ‘) as EventType,EXTRACT_TOKEN(Message,19,’ ‘) as user,count(EXTRACT_TOKEN(Message,19,’ ‘)) as Times,EXTRACT_TOKEN(Message,39,’ ‘) as Loginip FROM c:\Security.evtx where EventID=4625 GROUP BY Message”

3、系统历史开关机记录:
LogParser.exe -i:EVT –o:DATAGRID “SELECT TimeGenerated,EventID,Message FROM c:\System.evtx where EventID=6005 or EventID=6006” 欢迎使用ShowDoc!