Microsoft's Log Parser is a powerful command-line utility that can streamline this process, providing efficient querying capabilities to extract specific information from logs
Getting Started with Log Parser for Windows Security Event Logs:
In a typical scenario, suppose we have logs placed in the directory from single system :
To run Log Parser for a specific log file, say 'Security.evtx' with EventID '5038', the command appears as follows:
C:\Users\User\Desktop\Tools\Logs\> "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"
If we see above example
C:\Users\User\Desktop\Tools\Logs> this is where Logs are placed
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" this is where log parser is present
-stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'" (this basically a sql query)
Complexities in Parsing Multiple Logs:
However, complexities arise when dealing with multiple directories(example we have collected logs from 300 systems ), each containing 'Security.evtx' logs. Manually changing directories and running the same query for each system becomes arduous and time-consuming.
A PowerShell Solution:
To streamline this process and efficiently parse logs across multiple directories, PowerShell comes to the rescue. By combining PowerShell's directory traversal capability with Log Parser's querying prowess, we can create a script that navigates through directories and executes Log Parser queries.
For example:
Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT -q:ON "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'" }
Breaking Down the Script
Get-ChildItem -Recurse: Recursively searches through all directories.
Where-Object {$_.name -eq "Security.evtx"}: Filters files to find 'Security.evtx'.
ForEach : Executes commands for each located file.
cd $_.DirectoryName: Changes the directory to the log file's location.
pwd; : Use for printing Path
& 'LogParser.exe' -i:EVT -q:ON "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'": Executes Log Parser query.
But still keep in mind as per query this will parse only all security.evtx file from all 300 systems.
This make things little bit difficult for parsing logs and not simple as hayabusa but this help you learn how to create script or SQL query:
BONUS:-
To streamline Log Parser operations and simplify the process of querying Windows Security Event logs. I have compiled a set of Log Parser commands for your convenience. These commands can be edited and customized to suit your specific log analysis requirements.
Commands file attached:- Click me
Akash Patel
תגובות