Windows Logging (Slapdash)
<WRAP round info> This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article. </WRAP>
Terminology
- Windows Event Log
- channels
- publishers
- providers
- streams
wevtutil
- wevtutil is a bulit-in Windows command that can query the Windows Event Log.
Specific Events of Note
Listing Log Channels and Publishers
Enumerate a list of all log channels
wevtutil el
wevtutil el | findstr /i <string value to match>
Get Configuration Info/Metadata for System Log
wevtutil gl System
Example Output
name: System enabled: true type: Admin owningPublisher: isolation: System channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\System.evtx retention: false autoBackup: false maxSize: 20971520 publishing: fileMax: 1
Enumerate publishers
wevtutil ep
wevtutil gp <publisher name>
Execute Against a Remote System
wevtutil <command> /r:<remote_computer_name> /u:<user_name> /p:<password>
Enumerate log channels on a remote host
wevtutil el /r:<remote_computer_name> /u:<user_name> /p:<password>
Event Queries
- The following shows how to query Windows Event Log for events.
- One way to get the XPath queries used by the /q option of wevtutil is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.
Query the last 5 logs from the Security log channel.
- Using /rd:true option reads the most recent messages first (descending order).
wevtutil qe Security /c:5 /rd:true /f:text
wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>
Example:
wevtutil qe Microsoft-Windows-Winlogon /c:5 /rd:true /f:text
/q:*[<logname>[(<xmlvalue=value>)]]"
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and Task=12544 and (EventID=4624)] and EventData[Data[@Name='LogonType']='2']]" /e:Events
Query the Microsoft/Windows/TaskScheduler sub-channel.
wevtutil qe Microsoft-Windows-TaskScheduler/Operational /c:5
Query for most recent failed login event 4625.
C:\Users\Administrator>wevtutil qe Security /q:"*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4625)] and EventData[Data[@Name='LogonType']='2']]" /e:Events /rd:true /c:1 /format:text
wevtutil qe Security /q:"*[System [(EventID=4625)]]" /c:1 /rd:true /format:text
wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
Log Message Query
Query for logs in the Security channel from the Microsoft-Windows-Winlogon provider.
wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text Event[0]: Log Name: System Source: Microsoft-Windows-Winlogon Date: 2014-06-18T09:50:45.442 Event ID: 7001 Task: N/A Level: Information Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: E5420_MGupton.alertlogic.net Description: User Logon Notification for Customer Experience Improvement Program
Windows Shutdown Event
c:\temp>wevtutil qe System /q:"*[System [(EventID=1074)]]" /c:1 /rd:true /format:text Event[0]: Log Name: System Source: USER32 Date: 2015-02-04T07:23:47.000 Event ID: 1074 Task: N/A Level: Information Opcode: N/A Keyword: Classic User: S-1-5-21-3226147087-3892606130-1661063148-5381 User Name: ALERTLOGIC\mgupton Computer: E5420_MGupton.alertlogic.net Description: The process C:\Windows\system32\winlogon.exe (E5420_MGUPTON) has initiated the restart of computer E5420_MGUPTON on behalf of user ALERTLOGIC\mgupton for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: restart Comment:
Windows Boot Event
c:\temp>wevtutil qe Security /q:"*[System [(EventID=4608)]]" /c:1 /rd:true /format:text Event[0]: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2015-02-04T07:25:18.260 Event ID: 4608 Task: Security State Change Level: Information Opcode: Info Keyword: Audit Success User: N/A User Name: N/A Computer: E5420_MGupton.alertlogic.net Description: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Slapdash
The Microsoft command line tool named wevtutil can also be used to get and set the Windows Event Log retention policy. Set the log file size limit behaviour to overwrite oldest logs first using the following command. wevtutil sl <Log Name> /r:false /ab:false The following is an example of setting the Application log to overwrite the oldest logs first. /r:false specifies that when the log reaches the maximum size new logs should overwrite the oldest logs. /ab:false specifies that when the log reaches the maximum size the log should not be automatically backed up. wevtutil sl Application /r:false /ab:false Set the maximum log file size for the specified log stream. wevtutil sl <Log Name> /ms:<MaxSizeInBytes> The following example sets the maximum log file size for the Application stream to 60 MB. wevtutil sl Application /ms:62914560 The following command displays the current configuration for the specified log stream. wevtutil gl <Log Name> Example for getting the configuration for the System log stream. wevtutil gl System
Set log file max. size.
wevtutil sl <LogName> /ms:<MaxSizeInBytes>
Providers, Publishers and Channels
A Provider is a source of events. A single provider can have multiple channels. A channel is a distinct data store for a collection of events.
c:\temp>wevtutil ep|findstr /i winlogon Microsoft-Windows-Winlogon
c:\temp\wevtutil gp Microsoft-Windows-Winlogon
name: Microsoft-Windows-Winlogon
guid: dbe9b383-7cf3-4331-91cc-a3cb16a3b538
helpLink: http://go.microsoft.com/fwlink/events.asp?CoName=Microsoft%20Corporation&ProdName=Microsoft%c2%ae%20Windows%c2%ae%20Operating%20System&ProdVer=6.1.7601.17514&FileName=winlogon.exe&FileVer=6.1.7601.17514
resourceFileName: C:\Windows\system32\winlogon.exe
messageFileName: C:\Windows\system32\winlogon.exe
message: 2415919105
channels:
channel:
name: Microsoft-Windows-Winlogon/Diagnostic
id: 16
flags: 0
message:
channel:
name: Microsoft-Windows-Winlogon/Operational
id: 17
flags: 0
message:
channel:
name: System
id: 8
flags: 1
message: 2415919106
--- snip ---
c:\temp>wevtutil gl Microsoft-Windows-Winlogon/Operational name: Microsoft-Windows-Winlogon/Operational enabled: true type: Operational owningPublisher: Microsoft-Windows-Winlogon isolation: Application channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx retention: false autoBackup: false maxSize: 1052672 publishing: fileMax: 1
Export/Convert .evt to .evtx
wevtutil epl application.evt application.evtx /lf:true
Get EventRecordID
By querying the data as XML the EventRecordID is returned. This value represents the unique identifier of the event record. This ordinal value starts at 1 and is incremented by 1 for every new log entry.
wevtutil qe System /c:1 /rd:true /f:xml
Windows Events/Logging
For each event record Windows has a unique record number. The name of this value may vary depending on how the event data is accessed. For example, in the Windows Event Viewer GUI the value is identified as EventRecordID.
Terminology
- channel, stream
- provider, publisher
Tools, Technologies and Solutions
- LOGBinder, LOGBinder SQL
Relevant Registry Keys
HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Eventlog
Application
Security
System
CustomLog
§§§
Topics
- Windows Event Forwarding
Logging Policy
Windows Events
Windows 2003 Server
Windows 2003 Server
- Logon/Logoff: Event ID 528
Disabling Logs
WFP/Windows Firewall Connection Accepted/Reject Messages
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
Windows Logon Auditing
In the gpedit.msc GUI:
Computer Confiuguration\Windows Settings\Security Settings\Audit Policy.
auditpol /get /category:"logon/logoff"
auditpol /get /subcategory:"logon"
auditpol /set /subcategory:”logon” /success:enable /failure:enable
Set Maximum Log File Size
Set Log Retention Policy
Slapdash
Writing events to the Event Log
- Powershell cmdlet Write-EventLog
The following is an example of using the write-eventlog Powershell cmdlet to write an log messages to the Application log stream.
Note the source must be a registered source.
write-eventlog -logname Application -source Winlogon -eventID 3001 -entrytype Information -message "Test log message." -category 1 -rawdata 10,20
Get Events
- get-eventlog
Use Powershell cmdlet to list Event Log channels
Get-WinEvent -listlog *
Get-EventLog -list
Windows Event Log API
Log Provider/Channel Registry Values
reg query hklm\system\currentcontrolset\services\eventlog
To Explore
Understanding How Windows Event Log Works
- Info on creating and using a event message file by creating a string table in a Windows resource.
Inaccessible Event Log Channels/Providers
- EvtOpenPublisherMetadata API function
- EvtOpenSession API function
auditing/auditpol
Get audit policy categories and subcategories.
auditpol /list /subcategory:*
auditpol /get /subcategory:"Security Group Management"
The category Security Group Management controls whether user and group creation and modification activities are logged.
C:\Users\Administrator>auditpol /get /subcategory:"Security Group Management" System audit policy Category/Subcategory Setting Account Management Security Group Management Success and Failure
C:\Users\Administrator>auditpol /get /category:* System audit policy Category/Subcategory Setting System Security System Extension No Auditing System Integrity Success and Failure IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure Object Access File System Success and Failure Registry Success and Failure Kernel Object Success and Failure SAM Success and Failure Certification Services Success and Failure Application Generated Success and Failure Handle Manipulation Success and Failure File Share Success and Failure Filtering Platform Packet Drop Success and Failure Filtering Platform Connection No Auditing Other Object Access Events Success and Failure Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Process Creation No Auditing Policy Change Audit Policy Change Success Authentication Policy Change Success Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management User Account Management Success and Failure Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management Success and Failure Application Group Management Success and Failure Other Account Management Events Success and Failure DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success Account Logon Kerberos Service Ticket Operations Success Other Account Logon Events No Auditing Kerberos Authentication Service Success Credential Validation Success
Powershell
- get-eventlog
- get-winevent
The Index value is the uniqure record number for the event.
get-eventlog -log Security -newest 2
Slapdash
get-eventlog -log Security -newest 2 | where {$_.eventID -eq 4672} | format-list -property *
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property *
Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property * | findstr -i recordid
powershell -executionpolicy bypass -command "Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4634; StartTime='12/1/14 15:28:35'; EndTime='12/1/14 15:28:35'} -MaxEvents 2 | format-list -property *"
WMI/VB Script scripts for event log access
Get metadata for the specified log channel.
strComputer = "."
strChannel = "Security"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='" & strChannel & "'")
Wscript.Echo "Metadata for log channel " & strChannel & "."
For Each objLogFile in colLogFiles
Wscript.Echo "Number of records: " & objLogFile.NumberOfRecords
Wscript.Echo "Maximum log file size: " _
& objLogfile.MaxFileSize
Wscript.Echo "Log filename: " & objLogFile.Drive & objLogFile.Path & objLogFile.LogfileName & "." & objLogFile.Extension
Next
Get the number of records (events) in the specified log channel.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
Logman
List log providers and GUID values.
logman query providers
Resources
- Ultimate Windows Security. Randy Franklin Smith's site. Good info for security related logging.
- webinars
- forum