======Windows Logging (Slapdash)======
This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article.
======Terminology======
* Windows Event Log
* channels
* publishers
* providers
* streams
======wevtutil======
* //wevtutil// is a bulit-in Windows command that can query the Windows Event Log.
* [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]]
* [[http://ss64.com/nt/wevtutil.html]]
======Specific Events of Note======
* [[Windows Administrator Activity Events]]
======Listing Log Channels and Publishers======
====Enumerate a list of all log channels====
wevtutil el
wevtutil el | findstr /i
====Get Configuration Info/Metadata for System Log====
wevtutil gl System
==Example Output==
name: System
enabled: true
type: Admin
owningPublisher:
isolation: System
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
====Enumerate publishers====
wevtutil ep
wevtutil gp
=====Execute Against a Remote System=====
wevtutil /r: /u: /p:
====Enumerate log channels on a remote host====
wevtutil el /r: /u: /p:
======Event Queries======
* The following shows how to query Windows Event Log for events.
* One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.
===Query the last 5 logs from the Security log channel.===
* Using %%/rd:true%% option reads the most recent messages first (descending order).
wevtutil qe Security /c:5 /rd:true /f:text
wevtutil qe Security /c:5 /rd:true /f:text /r: /u: /p:
Example:
wevtutil qe Microsoft-Windows-Winlogon /c:5 /rd:true /f:text
/q:*[[()]]"
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events
Query the //Microsoft/Windows/TaskScheduler// sub-channel.
wevtutil qe Microsoft-Windows-TaskScheduler/Operational /c:5
Query for most recent failed login event //4625//.
C:\Users\Administrator>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='2']]" /e:Events /rd:true /c:1 /format:text
wevtutil qe Security /q:"*[System [(EventID=4625)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
====Log Message Query====
Query for logs in the //Security// channel from the //Microsoft-Windows-Winlogon// provider.
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
Event[0]:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 2014-06-18T09:50:45.442
Event ID: 7001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: E5420_MGupton.alertlogic.net
Description:
User Logon Notification for Customer Experience Improvement Program
====Windows Shutdown Event====
c:\temp>wevtutil qe System /q:"*[System [(EventID=1074)]]" /c:1 /rd:true /format:text
Event[0]:
Log Name: System
Source: USER32
Date: 2015-02-04T07:23:47.000
Event ID: 1074
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: S-1-5-21-3226147087-3892606130-1661063148-5381
User Name: ALERTLOGIC\mgupton
Computer: E5420_MGupton.alertlogic.net
Description:
The process C:\Windows\system32\winlogon.exe (E5420_MGUPTON) has initiated the restart of computer E5420_MGUPTON on behalf of user ALERTLOGIC\mgupton for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: restart
Comment:
====Windows Boot Event====
c:\temp>wevtutil qe Security /q:"*[System [(EventID=4608)]]" /c:1 /rd:true /format:text
Event[0]:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2015-02-04T07:25:18.260
Event ID: 4608
Task: Security State Change
Level: Information
Opcode: Info
Keyword: Audit Success
User: N/A
User Name: N/A
Computer: E5420_MGupton.alertlogic.net
Description:
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
======Slapdash======
The Microsoft command line tool named wevtutil can also be used to get and set the Windows Event Log retention policy.
Set the log file size limit behaviour to overwrite oldest logs first using the following command.
wevtutil sl /r:false /ab:false
The following is an example of setting the Application log to overwrite the oldest logs first.
/r:false specifies that when the log reaches the maximum size new logs should overwrite the oldest logs.
/ab:false specifies that when the log reaches the maximum size the log should not be automatically backed up.
wevtutil sl Application /r:false /ab:false
Set the maximum log file size for the specified log stream.
wevtutil sl /ms:
The following example sets the maximum log file size for the Application stream to 60 MB.
wevtutil sl Application /ms:62914560
The following command displays the current configuration for the specified log stream.
wevtutil gl
Example for getting the configuration for the System log stream.
wevtutil gl System
Set log file max. size.
wevtutil sl /ms:
====Providers, Publishers and Channels====
A //Provider// is a source of events. A single provider can have multiple //channels//. A //channel// is a distinct data store for a collection of events.
c:\temp>wevtutil ep|findstr /i winlogon
Microsoft-Windows-Winlogon
c:\temp\wevtutil gp Microsoft-Windows-Winlogon
name: Microsoft-Windows-Winlogon
guid: dbe9b383-7cf3-4331-91cc-a3cb16a3b538
helpLink: http://go.microsoft.com/fwlink/events.asp?CoName=Microsoft%20Corporation&ProdName=Microsoft%c2%ae%20Windows%c2%ae%20Operating%20System&ProdVer=6.1.7601.17514&FileName=winlogon.exe&FileVer=6.1.7601.17514
resourceFileName: C:\Windows\system32\winlogon.exe
messageFileName: C:\Windows\system32\winlogon.exe
message: 2415919105
channels:
channel:
name: Microsoft-Windows-Winlogon/Diagnostic
id: 16
flags: 0
message:
channel:
name: Microsoft-Windows-Winlogon/Operational
id: 17
flags: 0
message:
channel:
name: System
id: 8
flags: 1
message: 2415919106
--- snip ---
c:\temp>wevtutil gl Microsoft-Windows-Winlogon/Operational
name: Microsoft-Windows-Winlogon/Operational
enabled: true
type: Operational
owningPublisher: Microsoft-Windows-Winlogon
isolation: Application
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
====Export/Convert .evt to .evtx====
wevtutil epl application.evt application.evtx /lf:true
====Get EventRecordID====
By querying the data as XML the //EventRecordID// is returned. This value represents the unique identifier of the event record. This ordinal value starts at 1 and is incremented by 1 for every new log entry.
wevtutil qe System /c:1 /rd:true /f:xml
======Windows Events/Logging======
For each event record Windows has a unique record number. The name of this value may vary depending on how the event data is accessed. For example, in the Windows Event Viewer GUI the value is identified as //EventRecordID//.
====Terminology====
* channel, stream
* provider, publisher
======Tools, Technologies and Solutions======
* [[wevtutil]]
* [[Microsoft Log Parser]]
* [[https://www.logbinder.com/|LOGBinder]], LOGBinder SQL
* [[https://code.google.com/p/eventlog-to-syslog/|eventlog-to-syslog, open source solution]]
* [[http://edoceo.com/creo/winlogd|winlogd, open source Windows eventlog to syslog solution]]
====Relevant Registry Keys====
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
Application
Security
System
CustomLog
====§§§=====
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa363632(v=vs.85).aspx|Windows Event Log API]]
======Topics======
* Windows Event Forwarding
* [[http://technet.microsoft.com/en-us/library/dd315586(v=ws.10).aspx|Event Channels]]
====Logging Policy====
* [[http://technet.microsoft.com/en-us/library/cc721981.aspx|Set Windows Log Retention Policy]]
======Windows Events======
====Windows 2003 Server====
===Windows 2003 Server====
* Logon/Logoff: Event ID 528
====Disabling Logs====
==WFP/Windows Firewall Connection Accepted/Reject Messages==
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
==Windows Logon Auditing==
In the gpedit.msc GUI:
Computer Confiuguration\Windows Settings\Security Settings\Audit Policy.
auditpol /get /category:"logon/logoff"
auditpol /get /subcategory:"logon"
auditpol /set /subcategory:”logon” /success:enable /failure:enable
====Set Maximum Log File Size====
* [[http://technet.microsoft.com/en-us/library/cc748849.aspx]]
====Set Log Retention Policy====
* [[http://technet.microsoft.com/en-us/library/cc721981.aspx]]
======Slapdash======
===Writing events to the Event Log====
* Powershell cmdlet Write-EventLog
* [[http://technet.microsoft.com/en-us/library/hh849847.aspx]]
The following is an example of using the write-eventlog Powershell cmdlet to write an log messages to the Application log stream.
Note the //source// must be a registered source.
write-eventlog -logname Application -source Winlogon -eventID 3001 -entrytype Information -message "Test log message." -category 1 -rawdata 10,20
====Get Events====
* get-eventlog
====Use Powershell cmdlet to list Event Log channels====
Get-WinEvent -listlog *
Get-EventLog -list
====Windows Event Log API=====
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa385650(v=vs.85).aspx|Querying for Events]]
====Log Provider/Channel Registry Values====
reg query hklm\system\currentcontrolset\services\eventlog
======To Explore======
====Understanding How Windows Event Log Works====
*[[http://code.google.com/p/eventlog-to-syslog/]]
* Info on creating and using a event message file by creating a string table in a Windows resource.
* [[http://www.codeproject.com/Articles/4166/Using-MC-exe-message-resources-and-the-NT-event-lo]]
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa363669(v=vs.85).aspx]]
* [[http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)]]
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/bb427356(v=vs.85).aspx|Querying for Event Information]]
* [[http://www.dfrws.org/2007/proceedings/p92-murphey.pdf|Automated Windows event log forensics]]
====Inaccessible Event Log Channels/Providers====
* EvtOpenPublisherMetadata API function
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/dd996925(v=vs.85).aspx|Example of getting log provider metadata]]
* EvtOpenSession API function
* [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa385462(v=vs.85).aspx]]
======auditing/auditpol======
Get audit policy categories and subcategories.
auditpol /list /subcategory:*
auditpol /get /subcategory:"Security Group Management"
The category //Security Group Management// controls whether user and group creation and modification activities are logged.
C:\Users\Administrator>auditpol /get /subcategory:"Security Group Management"
System audit policy
Category/Subcategory Setting
Account Management
Security Group Management Success and Failure
C:\Users\Administrator>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
Object Access
File System Success and Failure
Registry Success and Failure
Kernel Object Success and Failure
SAM Success and Failure
Certification Services Success and Failure
Application Generated Success and Failure
Handle Manipulation Success and Failure
File Share Success and Failure
Filtering Platform Packet Drop Success and Failure
Filtering Platform Connection No Auditing
Other Object Access Events Success and Failure
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success
Other Account Logon Events No Auditing
Kerberos Authentication Service Success
Credential Validation Success
======Powershell======
* get-eventlog
* get-winevent
The //Index// value is the uniqure record number for the event.
get-eventlog -log Security -newest 2
====Slapdash====
get-eventlog -log Security -newest 2 | where {$_.eventID -eq 4672} | format-list -property *
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property *
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property * | findstr -i recordid
powershell -executionpolicy bypass -command "Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4634; StartTime='12/1/14 15:28:35'; EndTime='12/1/14 15:28:35'} -MaxEvents 2 | format-list -property *"
======WMI/VB Script scripts for event log access======
* [[http://msdn.microsoft.com/en-us/library/aa394593(v=vs.85).aspx|WMI Tasks: Event Logs]]
Get metadata for the specified log channel.
strComputer = "."
strChannel = "Security"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='" & strChannel & "'")
Wscript.Echo "Metadata for log channel " & strChannel & "."
For Each objLogFile in colLogFiles
Wscript.Echo "Number of records: " & objLogFile.NumberOfRecords
Wscript.Echo "Maximum log file size: " _
& objLogfile.MaxFileSize
Wscript.Echo "Log filename: " & objLogFile.Drive & objLogFile.Path & objLogFile.LogfileName & "." & objLogFile.Extension
Next
Get the number of records (events) in the specified log channel.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
======Logman======
List log providers and GUID values.
logman query providers
======Resources======
* [[https://www.ultimatewindowssecurity.com/|Ultimate Windows Security]]. Randy Franklin Smith's site. Good info for security related logging.
* webinars
* forum
* [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]
====== Windows Object Auditing ======
* #FIM
* [[https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1]]