Differences

This shows you the differences between two versions of the page.

--- slapdash:windows_logging [2017/04/18 21:38] – created mgupton
+++ slapdash:windows_logging [2023/03/21 16:41] (current) – mgupton
@@ Line 1: / Line 1: @@
-======Windows Logging======
+======Windows Logging (Slapdash)======
-======wevtutil======
+<WRAP round info>
-  * //wevtutil// is a bulit-in Windows command that can query the Windows event log.
+This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article.
-  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]]
+</WRAP>
-  * [[http://ss64.com/nt/wevtutil.html]]
-====Terminology====
+======Terminology======
+  * Windows Event Log
   * channels
   * publishers
@@ Line 11: / Line 11: @@
   * streams
-======Examples======
+======wevtutil======
+  * //wevtutil// is a bulit-in Windows command that can query the Windows Event Log.
+  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]]
+  * [[http://ss64.com/nt/wevtutil.html]]
+======Specific Events of Note======
+  * [[Windows Administrator Activity Events]]
+======Listing Log Channels and Publishers======
 ====Enumerate a list of all log channels====
 <code>
@@ Line 52: / Line 61: @@
 </code>
-====Log Message Query====
-Query for logs in the //Security// channel from the //Microsoft-Windows-Winlogon// provider.
-<code>
-wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
-Event[0]:
-  Log Name: System
-  Source: Microsoft-Windows-Winlogon
-  Date: 2014-06-18T09:50:45.442
-  Event ID: 7001
-  Task: N/A
-  Level: Information
-  Opcode: Info
-  Keyword: N/A
-  User: S-1-5-18
-  User Name: NT AUTHORITY\SYSTEM
-  Computer: E5420_MGupton.alertlogic.net
-  Description:
-User Logon Notification for Customer Experience Improvement Program
-</code>
 =====Execute Against a Remote System=====
@@ Line 86: / Line 73: @@
 ======Event Queries======
+  * The following shows how to query Windows Event Log for events.
   * One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.
-Query the last 5 logs from the //Security// log channel.
+===Query the last 5 logs from the Security log channel.===
+  * Using %%/rd:true%% option reads the most recent messages first (descending order).
-Using %%/rd:true%% option reads the most recent messages first (descending order).
 <code>
-wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>
+wevtutil qe Security /c:5 /rd:true /f:text
 </code>
+<code>
+wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>
+</code>
 Example:
@@ Line 134: / Line 125: @@
 <code>
 wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
+</code>
+====Log Message Query====
+Query for logs in the //Security// channel from the //Microsoft-Windows-Winlogon// provider.
+<code>
+wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
+Event[0]:
+  Log Name: System
+  Source: Microsoft-Windows-Winlogon
+  Date: 2014-06-18T09:50:45.442
+  Event ID: 7001
+  Task: N/A
+  Level: Information
+  Opcode: Info
+  Keyword: N/A
+  User: S-1-5-18
+  User Name: NT AUTHORITY\SYSTEM
+  Computer: E5420_MGupton.alertlogic.net
+  Description:
+User Logon Notification for Customer Experience Improvement Program
 </code>
@@ Line 294: / Line 307: @@
 wevtutil qe System /c:1 /rd:true /f:xml
 </code>
+======Windows Events/Logging======
+For each event record Windows has a unique record number. The name of this value may vary depending on how the event data is accessed. For example, in the Windows Event Viewer GUI the value is identified as //EventRecordID//.
+====Terminology====
+  * channel, stream
+  * provider, publisher
+======Tools, Technologies and Solutions======
+  * [[wevtutil]]
+  * [[Microsoft Log Parser]]
+  * [[https://www.logbinder.com/|LOGBinder]], LOGBinder SQL
+  * [[https://code.google.com/p/eventlog-to-syslog/|eventlog-to-syslog, open source solution]]
+  * [[http://edoceo.com/creo/winlogd|winlogd, open source Windows eventlog to syslog solution]]
+====Relevant Registry Keys====
+<code>
+HKEY_LOCAL_MACHINE
+   SYSTEM
+      CurrentControlSet
+         Services
+            Eventlog
+               Application
+               Security
+               System
+               CustomLog
+</code>
+====§§§=====
+  * [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa363632(v=vs.85).aspx|Windows Event Log API]]
+======Topics======
+  * Windows Event Forwarding
+  * [[http://technet.microsoft.com/en-us/library/dd315586(v=ws.10).aspx|Event Channels]]
+====Logging Policy====
+  * [[http://technet.microsoft.com/en-us/library/cc721981.aspx|Set Windows Log Retention Policy]]
+======Windows Events======
+====Windows 2003 Server====
+===Windows 2003 Server====
+  * Logon/Logoff: Event ID 528
+====Disabling Logs====
+==WFP/Windows Firewall Connection Accepted/Reject Messages==
+<code>
+auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
+</code>
+==Windows Logon Auditing==
+In the gpedit.msc GUI:
+<code>
+Computer Confiuguration\Windows Settings\Security Settings\Audit Policy.
+</code>
+<code>
+auditpol /get /category:"logon/logoff"
+</code>
+<code>
+auditpol /get /subcategory:"logon"
+</code>
+<code>
+auditpol /set /subcategory:”logon” /success:enable /failure:enable
+</code>
+====Set Maximum Log File Size====
+  * [[http://technet.microsoft.com/en-us/library/cc748849.aspx]]
+====Set Log Retention Policy====
+  * [[http://technet.microsoft.com/en-us/library/cc721981.aspx]]
+======Slapdash======
+===Writing events to the Event Log====
+  * Powershell cmdlet Write-EventLog
+    * [[http://technet.microsoft.com/en-us/library/hh849847.aspx]]
+The following is an example of using the write-eventlog Powershell cmdlet to write an log messages to the Application log stream.
+Note the //source// must be a registered source.
+<code>
+ write-eventlog -logname Application -source Winlogon -eventID 3001 -entrytype Information -message "Test log message." -category 1 -rawdata 10,20
+</code>
+====Get Events====
+  * get-eventlog
+====Use Powershell cmdlet to list Event Log channels====
+<code>
+Get-WinEvent -listlog *
+</code>
+<code>
+Get-EventLog -list
+</code>
+====Windows Event Log API=====
+  * [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa385650(v=vs.85).aspx|Querying for Events]]
+====Log Provider/Channel Registry Values====
+<code>
+reg query hklm\system\currentcontrolset\services\eventlog
+</code>
+======To Explore======
+====Understanding How Windows Event Log Works====
+  *[[http://code.google.com/p/eventlog-to-syslog/]]
+  * Info on creating and using a event message file by creating a string table in a Windows resource.
+    * [[http://www.codeproject.com/Articles/4166/Using-MC-exe-message-resources-and-the-NT-event-lo]]
+    * [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa363669(v=vs.85).aspx]]
+    * [[http://www.forensicswiki.org/wiki/Windows_Event_Log_(EVT)]]
+  * [[http://msdn.microsoft.com/en-us/library/windows/desktop/bb427356(v=vs.85).aspx|Querying for Event Information]]
+  * [[http://www.dfrws.org/2007/proceedings/p92-murphey.pdf|Automated Windows event log forensics]]
+====Inaccessible Event Log Channels/Providers====
+  * EvtOpenPublisherMetadata API function
+    * [[http://msdn.microsoft.com/en-us/library/windows/desktop/dd996925(v=vs.85).aspx|Example of getting log provider metadata]]
+  * EvtOpenSession API function
+    * [[http://msdn.microsoft.com/en-us/library/windows/desktop/aa385462(v=vs.85).aspx]]
+======auditing/auditpol======
+Get audit policy categories and subcategories.
+<code>
+auditpol /list /subcategory:*
+</code>
+<code>
+auditpol /get /subcategory:"Security Group Management"
+</code>
+The category //Security Group Management// controls whether user and group creation and modification activities are logged.
+<code>
+C:\Users\Administrator>auditpol /get /subcategory:"Security Group Management"
+System audit policy
+Category/Subcategory                      Setting
+Account Management
+  Security Group Management               Success and Failure
+</code>
+<code>
+C:\Users\Administrator>auditpol /get /category:*
+System audit policy
+Category/Subcategory                      Setting
+System
+  Security System Extension               No Auditing
+  System Integrity                        Success and Failure
+  IPsec Driver                            No Auditing
+  Other System Events                     Success and Failure
+  Security State Change                   Success
+Logon/Logoff
+  Logon                                   Success and Failure
+  Logoff                                  Success
+  Account Lockout                         Success
+  IPsec Main Mode                         No Auditing
+  IPsec Quick Mode                        No Auditing
+  IPsec Extended Mode                     No Auditing
+  Special Logon                           Success
+  Other Logon/Logoff Events               No Auditing
+  Network Policy Server                   Success and Failure
+Object Access
+  File System                             Success and Failure
+  Registry                                Success and Failure
+  Kernel Object                           Success and Failure
+  SAM                                     Success and Failure
+  Certification Services                  Success and Failure
+  Application Generated                   Success and Failure
+  Handle Manipulation                     Success and Failure
+  File Share                              Success and Failure
+  Filtering Platform Packet Drop          Success and Failure
+  Filtering Platform Connection           No Auditing
+  Other Object Access Events              Success and Failure
+Privilege Use
+  Sensitive Privilege Use                 No Auditing
+  Non Sensitive Privilege Use             No Auditing
+  Other Privilege Use Events              No Auditing
+Detailed Tracking
+  Process Termination                     No Auditing
+  DPAPI Activity                          No Auditing
+  RPC Events                              No Auditing
+  Process Creation                        No Auditing
+Policy Change
+  Audit Policy Change                     Success
+  Authentication Policy Change            Success
+  Authorization Policy Change             No Auditing
+  MPSSVC Rule-Level Policy Change         No Auditing
+  Filtering Platform Policy Change        No Auditing
+  Other Policy Change Events              No Auditing
+Account Management
+  User Account Management                 Success and Failure
+  Computer Account Management             Success and Failure
+  Security Group Management               Success and Failure
+  Distribution Group Management           Success and Failure
+  Application Group Management            Success and Failure
+  Other Account Management Events         Success and Failure
+DS Access
+  Directory Service Changes               No Auditing
+  Directory Service Replication           No Auditing
+  Detailed Directory Service Replication  No Auditing
+  Directory Service Access                Success
+Account Logon
+  Kerberos Service Ticket Operations      Success
+  Other Account Logon Events              No Auditing
+  Kerberos Authentication Service         Success
+  Credential Validation                   Success
+</code>
+======Powershell======
+  * get-eventlog
+  * get-winevent
+The //Index// value is the uniqure record number for the event.
+<code>
+get-eventlog -log Security -newest 2
+</code>
+====Slapdash====
+<code>
+get-eventlog -log Security -newest 2 | where {$_.eventID -eq 4672} | format-list -property *
+Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property *
+Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4672;} -MaxEvents 2 | format-list -property * | findstr -i recordid
+</code>
+<code>
+powershell -executionpolicy bypass -command "Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4634; StartTime='12/1/14 15:28:35'; EndTime='12/1/14 15:28:35'} -MaxEvents 2 | format-list -property *"
+</code>
+======WMI/VB Script scripts for event log access======
+  * [[http://msdn.microsoft.com/en-us/library/aa394593(v=vs.85).aspx|WMI Tasks: Event Logs]]
+Get metadata for the specified log channel.
+<code>
+strComputer = "."
+strChannel = "Security"
+Set objWMIService = GetObject("winmgmts:" _
+    & "{impersonationLevel=impersonate,(Security)}!\\" & _
+        strComputer & "\root\cimv2")
+Set colLogFiles = objWMIService.ExecQuery _
+    ("Select * from Win32_NTEventLogFile " _
+        & "Where LogFileName='" & strChannel & "'")
+    Wscript.Echo "Metadata for log channel " & strChannel & "."
+For Each objLogFile in colLogFiles
+    Wscript.Echo "Number of records: " & objLogFile.NumberOfRecords
+    Wscript.Echo "Maximum log file size: " _
+    &  objLogfile.MaxFileSize
+	Wscript.Echo "Log filename: " & objLogFile.Drive & objLogFile.Path & objLogFile.LogfileName & "." & objLogFile.Extension
+Next
+</code>
+Get the number of records (events) in the specified log channel.
+<code>
+strComputer = "."
+Set objWMIService = GetObject("winmgmts:" _
+    & "{impersonationLevel=impersonate}!\\" _
+    & strComputer & "\root\cimv2")
+Set colLogFiles = objWMIService.ExecQuery _
+    ("Select * from Win32_NTEventLogFile " _
+    & "Where LogFileName='System'")
+For Each objLogFile in colLogFiles
+    Wscript.Echo objLogFile.NumberOfRecords
+Next
+</code>
+======Logman======
+List log providers and GUID values.
+<code>
+logman query providers
+</code>
+======Resources======
+  * [[https://www.ultimatewindowssecurity.com/|Ultimate Windows Security]]. Randy Franklin Smith's site. Good info for security related logging.
+      * webinars
+      * forum
+  * [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]
+====== Windows Object Auditing ======
+  * #FIM
+  * [[https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1]]