碼上快樂

相關內容    簡體    繁體

Log Parser Lizard 日志分析

本文轉載自   查看原文   2020-07-04 23:50   535    [應急響應]

目錄

1. Log Parser Lizard 介紹

Log Parser Lizard是一款強大好用的日志分析工具,使用這款軟件可以方便用戶對服務器日志、網站日志等進行直觀用戶的分析,支持基於文本的日志文件、XML 文件、CSV(逗號分隔符)文件以及注冊表、文件系統等內容。

2. Windows日志分析

1.統計登陸成功的

統計登陸成功狀態為(3/10)用戶

SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=4624 and (EXTRACT_TOKEN(Message,13,' ') = '3' or EXTRACT_TOKEN(Message,13,' ') = '10')

統計時間在06-20到06-30登陸成功狀態為(3/10)用戶

SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as Username,EXTRACT_TOKEN(Message,38,' ') as Loginip FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where  TimeGenerated>'2020-06-20 23:32:11' and TimeGenerated<'2020-06-30 23:34:00' and EventID=4624 and (EXTRACT_TOKEN(Message,13,' ') = '3' or EXTRACT_TOKEN(Message,13,' ') = '10')

  1. 統計登陸失敗的

按用戶名統計爆破次數(聚合)

select EXTRACT_TOKEN(Message,19,' ') as user,count(EXTRACT_TOKEN(Message,19,' ')) AS 總計 FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=4625 GROUP by EXTRACT_TOKEN(Message,19,' ') ORDER by 總計 desc

按IP地址統計爆破次數(聚合)

select EXTRACT_TOKEN(Message,39,' ') as loginIp,count(EXTRACT_TOKEN(Message,39,' ')) AS 總計 FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=4625 GROUP by EXTRACT_TOKEN(Message,39,' ') ORDER by 總計 desc

提取登錄失敗用戶名並顯示登陸失敗時間

SELECT EXTRACT_TOKEN(Message,13,' ') as EventType,EXTRACT_TOKEN(Message,19,' ') as user,EXTRACT_TOKEN(Message,39,' ') as Loginip,TimeGenerated as LoginTime FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=4625

  1. 查詢 [Administrator] 創建的進程
SELECT TimeGenerated as Creationtime,EXTRACT_TOKEN(Strings,5,'|') as Process FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=4688 and Message LIKE '%Administrator%'

  1. 查詢創建的服務
SELECT TimeGenerated as Creationtime,Message FROM 'C:\Program Files\Log Parser 2.2\Security-01.evtx' where EventID=7045
  1. 查詢重置密碼
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4724
  1. 查詢重置密碼
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4724
  1. 查詢用戶已添加到特權本地組
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4732
  1. 終端會話日志

終端會話日志-RDP斷開連接:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=24

終端會話日志-RDP重連:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=25

終端會話日志-RDP登陸:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=21


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Log Parser Lizard 日志分析工具 log parser分析windows日志 Log Parser 微軟強大的日志分析工具 用Log Parser Studio分析IIS日志 Log Parser Studio 分析 IIS 日志 日志分析工具Log Parser介紹 IIS日志分析器Log Parser Studio Jenkins解析日志(log-parser-plugin) Android log 日志分析 [日志分析] Access Log 日志分析
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM