94 lines
3.3 KiB
Markdown
94 lines
3.3 KiB
Markdown
# Logging
|
|
* [Windows Logging CheatSheet](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf)
|
|
* [NSA -- Spotting Adversary with Windows Event Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm)
|
|
* [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)
|
|
* [Windows 10 Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630)
|
|
|
|
## Loglevel
|
|
|ID|Event Type|Description|
|
|
|--|----------|-----------|
|
|
|0|Error|An event that indicates a significant problem.|
|
|
|1|Warning|An event that is not necessarily significant.|
|
|
|2|Information|An event describing the successful operation of an application.|
|
|
|3|Success Audit|An event that records an audited security access attempt that is successful.|
|
|
|4|Failure Audit|An event that records an audited security access attempt that is failure.|
|
|
|
|
## Logrotation
|
|
```sh
|
|
C:\Windows\System32\winevt\Logs
|
|
```
|
|
* As an example, paths can be found under `Microsoft > Windows > PowerShell > Operational` and right click `Properties` in Event Viewer. Logs can be cleared as well in properties.
|
|
|
|
|
|
## Tools
|
|
|
|
* Event Viewer (GUI-based application)
|
|
* Wevtutil.exe (command-line tool)
|
|
* Get-WinEvent (PowerShell cmdlet)
|
|
|
|
### wevtutil.exe
|
|
```sh
|
|
wevtutil.exe /?
|
|
```
|
|
* Count logs
|
|
```sh
|
|
wevtutil.exe le | measure
|
|
```
|
|
* Read three most recent Application logs
|
|
```sh
|
|
wevtutil qe Application /c:3 /rd:true /f:text
|
|
```
|
|
|
|
### Get-WinEvent
|
|
* [Online help](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1)
|
|
* List all the logs
|
|
```sh
|
|
Get-WinEvent -ListLog *
|
|
```
|
|
* Find string
|
|
```sh
|
|
Get-WinEvent -Path .\merged.evtx | Where-Object { $_.Message -like '*log clear*' }
|
|
```
|
|
* Further filtering
|
|
```sh
|
|
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
|
|
```
|
|
```sh
|
|
Get-WinEvent -ListProvider *Policy*
|
|
```
|
|
```sh
|
|
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description
|
|
```
|
|
* Filter by hashtable values
|
|
```sh
|
|
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller' };
|
|
```
|
|
```sh
|
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'
|
|
```
|
|
* Including __XPATH__
|
|
```sh
|
|
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
|
|
```
|
|
```sh
|
|
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
|
|
```
|
|
```sh
|
|
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' -MaxEvents 1
|
|
```
|
|
* Find login by username
|
|
```sh
|
|
Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
|
|
```
|
|
|
|
### Command Line Logging
|
|
* Enable PS Logging
|
|
```sh
|
|
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
|
|
```
|
|
* CLI Process Auditing -- ID 4688
|
|
```
|
|
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
|
|
```
|
|
|