slapdash:windows_logging

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
slapdash:windows_logging [2017/04/26 12:54] mguptonslapdash:windows_logging [2023/03/21 16:41] (current) mgupton
Line 1: Line 1:
 ======Windows Logging (Slapdash)====== ======Windows Logging (Slapdash)======
-======wevtutil====== +<WRAP round info> 
-  * //wevtutil// is a bulit-in Windows command that can query the Windows event log. +This is a slapdash, slipshod, scattershot, quick-n-dirty, ephemeral article
-  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]] +</WRAP>
-  * [[http://ss64.com/nt/wevtutil.html]]+
  
-====Terminology====+======Terminology====== 
 +  * Windows Event Log
   * channels   * channels
   * publishers   * publishers
   * providers   * providers
   * streams   * streams
 +
 +======wevtutil======
 +  * //wevtutil// is a bulit-in Windows command that can query the Windows Event Log.
 +  * [[http://technet.microsoft.com/en-us/library/cc732848(v=ws.10).aspx|wevtutil]]
 +  * [[http://ss64.com/nt/wevtutil.html]]
 +
 +======Specific Events of Note======
 +  * [[Windows Administrator Activity Events]]
  
 ======Listing Log Channels and Publishers====== ======Listing Log Channels and Publishers======
 +
 ====Enumerate a list of all log channels==== ====Enumerate a list of all log channels====
 <code> <code>
Line 64: Line 73:
  
 ======Event Queries====== ======Event Queries======
 +  * The following shows how to query Windows Event Log for events.
   * One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.   * One way to get the XPath queries used by the /q option of //wevtutil// is to use the Windows Event Viewer GUI. By creating a filter and viewing the XML representation of the filter.
  
-===Query the last 5 logs from the //Security// log channel.===+===Query the last 5 logs from the Security log channel.=== 
 + 
 +  * Using %%/rd:true%% option reads the most recent messages first (descending order).
  
-Using %%/rd:true%% option reads the most recent messages first (descending order). 
 <code> <code>
 wevtutil qe Security /c:5 /rd:true /f:text wevtutil qe Security /c:5 /rd:true /f:text
Line 401: Line 411:
 reg query hklm\system\currentcontrolset\services\eventlog reg query hklm\system\currentcontrolset\services\eventlog
 </code> </code>
-======Resources====== +
-  * [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]+
  
 ======To Explore====== ======To Explore======
Line 571: Line 580:
 logman query providers logman query providers
 </code> </code>
 +
 +======Resources======
 +  * [[https://www.ultimatewindowssecurity.com/|Ultimate Windows Security]]. Randy Franklin Smith's site. Good info for security related logging.
 +      * webinars
 +      * forum
 +  * [[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx]]
 +
 +====== Windows Object Auditing ======
 +  * #FIM
 +  * [[https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1]]
 +
  • slapdash/windows_logging.1493211264.txt.gz
  • Last modified: 2017/04/26 12:54
  • by mgupton