码迷,mamicode.com
首页 > 其他好文 > 详细

Log Parser Lizard 日志分析

时间:2020-07-05 00:59:57      阅读:77      评论:0      收藏:0      [点我收藏+]

标签:href   inf   csv   message   rac   head   win   mes   特权   

1. Log Parser Lizard 介绍

Log Parser Lizard是一款强大好用的日志分析工具,使用这款软件可以方便用户对服务器日志、网站日志等进行直观用户的分析,支持基于文本的日志文件、XML 文件、CSV(逗号分隔符)文件以及注册表、文件系统等内容。

2. Windows日志分析

1.统计登陆成功的

统计登陆成功状态为(3/10)用户

SELECT EXTRACT_TOKEN(Message,13,‘ ‘) as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,‘|‘) as Username,EXTRACT_TOKEN(Message,38,‘ ‘) as Loginip FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=4624 and (EXTRACT_TOKEN(Message,13,‘ ‘) = ‘3‘ or EXTRACT_TOKEN(Message,13,‘ ‘) = ‘10‘)

技术图片

统计时间在06-20到06-30登陆成功状态为(3/10)用户

SELECT EXTRACT_TOKEN(Message,13,‘ ‘) as EventType,TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,‘|‘) as Username,EXTRACT_TOKEN(Message,38,‘ ‘) as Loginip FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where  TimeGenerated>‘2020-06-20 23:32:11‘ and TimeGenerated<‘2020-06-30 23:34:00‘ and EventID=4624 and (EXTRACT_TOKEN(Message,13,‘ ‘) = ‘3‘ or EXTRACT_TOKEN(Message,13,‘ ‘) = ‘10‘)

技术图片

  1. 统计登陆失败的

按用户名统计爆破次数(聚合)

select EXTRACT_TOKEN(Message,19,‘ ‘) as user,count(EXTRACT_TOKEN(Message,19,‘ ‘)) AS 总计 FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=4625 GROUP by EXTRACT_TOKEN(Message,19,‘ ‘) ORDER by 总计 desc

技术图片

按IP地址统计爆破次数(聚合)

select EXTRACT_TOKEN(Message,39,‘ ‘) as loginIp,count(EXTRACT_TOKEN(Message,39,‘ ‘)) AS 总计 FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=4625 GROUP by EXTRACT_TOKEN(Message,39,‘ ‘) ORDER by 总计 desc

技术图片

提取登录失败用户名并显示登陆失败时间

SELECT EXTRACT_TOKEN(Message,13,‘ ‘) as EventType,EXTRACT_TOKEN(Message,19,‘ ‘) as user,EXTRACT_TOKEN(Message,39,‘ ‘) as Loginip,TimeGenerated as LoginTime FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=4625

技术图片

  1. 查询 [Administrator] 创建的进程
SELECT TimeGenerated as Creationtime,EXTRACT_TOKEN(Strings,5,‘|‘) as Process FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=4688 and Message LIKE ‘%Administrator%‘

技术图片

  1. 查询创建的服务
SELECT TimeGenerated as Creationtime,Message FROM ‘C:\Program Files\Log Parser 2.2\Security-01.evtx‘ where EventID=7045
  1. 查询重置密码
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4724
  1. 查询重置密码
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4724
  1. 查询用户已添加到特权本地组
SELECT TimeGenerated as Creationtime,Message FROM Security.evtx where EventID=4732
  1. 终端会话日志

终端会话日志-RDP断开连接:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=24

终端会话日志-RDP重连:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=25

终端会话日志-RDP登陆:

SELECT TimeGenerated as LoginTime,Strings FROM Operational.evtx where EventID=21

Log Parser Lizard 日志分析

标签:href   inf   csv   message   rac   head   win   mes   特权   

原文地址:https://www.cnblogs.com/didiaoxiaofei/p/13237270.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!