slapdash:windows_logging

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
slapdash:windows_logging [2017/04/18 21:39] mguptonslapdash:windows_logging [2023/03/21 16:41] (current) mgupton
Line 1: Line 1:
-======Windows Logging====== +======Windows Logging (Slapdash)====== 
-======wevtutil====== +<WRAP round info> 
-  * //wevtutil// is a bulit-in Windows command that can query the Windows event log. +This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article
-  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]] +</WRAP>
-  * [[http://ss64.com/nt/wevtutil.html]]+
  
-====Terminology====+======Terminology====== 
 +  * Windows Event Log
   * channels   * channels
   * publishers   * publishers
Line 11: Line 11:
   * streams   * streams
  
-======Examples======+======wevtutil====== 
 +  * //wevtutil// is a bulit-in Windows command that can query the Windows Event Log. 
 +  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]] 
 +  * [[http://ss64.com/nt/wevtutil.html]] 
 + 
 +======Specific Events of Note====== 
 +  * [[Windows Administrator Activity Events]] 
 + 
 +======Listing Log Channels and Publishers====== 
 ====Enumerate a list of all log channels==== ====Enumerate a list of all log channels====
 <code> <code>
Line 52: Line 61:
 </code> </code>
  
- 
-====Log Message Query==== 
-Query for logs in the //Security// channel from the //Microsoft-Windows-Winlogon// provider. 
- 
-<code> 
-wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text 
-Event[0]: 
-  Log Name: System 
-  Source: Microsoft-Windows-Winlogon 
-  Date: 2014-06-18T09:50:45.442 
-  Event ID: 7001 
-  Task: N/A 
-  Level: Information 
-  Opcode: Info 
-  Keyword: N/A 
-  User: S-1-5-18 
-  User Name: NT AUTHORITY\SYSTEM 
-  Computer: E5420_MGupton.alertlogic.net 
-  Description: 
-User Logon Notification for Customer Experience Improvement Program 
- 
-</code> 
  
 =====Execute Against a Remote System===== =====Execute Against a Remote System=====
Line 86: Line 73:
  
 ======Event Queries====== ======Event Queries======
 +  * The following shows how to query Windows Event Log for events.
   * One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.   * One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.
  
-Query the last 5 logs from the //Security// log channel.+===Query the last 5 logs from the Security log channel.=== 
 + 
 +  * Using %%/rd:true%% option reads the most recent messages first (descending order).
  
-Using %%/rd:true%% option reads the most recent messages first (descending order). 
 <code> <code>
-wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>+wevtutil qe Security /c:5 /rd:true /f:text
 </code> </code>
  
 +<code>
 +wevtutil qe Security /c:5 /rd:true /f:text /r:<remote_computer_name> /u:<user_name> /p:<password>
 +</code>
 Example: Example:
  
Line 134: Line 125:
 <code> <code>
 wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text wevtutil qe System /q:"*[System [(EventID=7001)]]" /c:1 /rd:true /format:text
 +</code>
 +
 +====Log Message Query====
 +Query for logs in the //Security// channel from the //Microsoft-Windows-Winlogon// provider.
 +
 +<code>
 +wevtutil qe System /q:"*[System[Provider[@Name='Microsoft-Windows-Winlogon']]]" /c:1 /rd:true /f:text
 +Event[0]:
 +  Log Name: System
 +  Source: Microsoft-Windows-Winlogon
 +  Date: 2014-06-18T09:50:45.442
 +  Event ID: 7001
 +  Task: N/A
 +  Level: Information
 +  Opcode: Info
 +  Keyword: N/A
 +  User: S-1-5-18
 +  User Name: NT AUTHORITY\SYSTEM
 +  Computer: E5420_MGupton.alertlogic.net
 +  Description:
 +User Logon Notification for Customer Experience Improvement Program
 +
 </code> </code>
  
Line 398: Line 411:
 reg query hklm\system\currentcontrolset\services\eventlog reg query hklm\system\currentcontrolset\services\eventlog
 </code> </code>
-======Resources====== +
-  * [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]+
  
 ======To Explore====== ======To Explore======
Line 568: Line 580:
 logman query providers logman query providers
 </code> </code>
 +
 +======Resources======
 +  * [[https://www.ultimatewindowssecurity.com/|Ultimate Windows Security]]. Randy Franklin Smith's site. Good info for security related logging.
 +      * webinars
 +      * forum
 +  * [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]
 +
 +====== Windows Object Auditing ======
 +  * #FIM
 +  * [[https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1]]
 +
  • slapdash/windows_logging.1492551571.txt.gz
  • Last modified: 2017/04/18 21:39
  • by mgupton