Event logs provide information about applications and can be modified including parameters using cdmlets characteristics that help to dump these events into specific variables or simply to identify specific dates within system registers.
The Log file analysis is an important task that allows us to get critical information about a service, an application or system. When we need to examine or when we need to research a target, it is highly recommended to dig into the logs files because, all the configurations, events, error warnings notices from a given system is stored in this files.
Step 1: Dump the event logs
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
Get-EventLog -LogName application | Export-Clixml Applog.xml type .\Applog.xml $logs = "system","application","security"
The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
Step 2: Import the event log of interest
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
Store the results in a variable.
Let’s take a look at the commandlets Where-Object, Group-Object, and Select-Object.
The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
$seclog = Import-Clixml security.xml $seclog | select -Last 5
A cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
Get-EventLog Application -After (Get-Date).AddDays(-1)
You can use ‘-after’ and ‘-before’ to filter date ranges
One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
By default, an ordinary user does not have permission to read the security log.
Step 3: Drill into a specific entry
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
$seclog | select -first 1 | fl *
The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
($seclog | select -first 1).message (($seclog | select -first 1).message).gettype()
In the *nix world, you often want a count of something (wc -l).
How often is the security privilege mentioned in the message property?
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
If you want to ensure that only event log entries return that contains SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
Use the count property to determine the total number of entries in the event log.
$seclog.Count
SIMPLE LOGFILE ANALYSIS
The Select-String cmdlet, is the most used command to search or filter files :
Description
The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. You can type Select-String
or its alias, sls
.
Select-String is based on lines of text. By default, Select-String finds the first match in each line and, for each match, it displays the file name, line number, and all text in the line containing the match. However, you can direct it to detect multiple matches per line, display text before and after the match, or display only a Boolean value (True or False) that indicates whether a match is found.
Select-String uses regular expression matching, but it can also perform a simple match that searches the input for the text that you specify.
Select-String can display all of the text matches or stop after the first match in each input file. It can also display all text that does not match the specified pattern. You can also specify that Select-String should expect a particular character encoding, such as when you are searching files of Unicode text.
mkdir c:\ps cd c:\ps (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=TV", "c:\ps\CiscoLogFileExamples.txt")
Select-String cmdlet:
Select where the String “192.168.208.63”:
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
Select where the String “192.168.208.63” by-line, as we can see in this example we can pipe a result to another cmdlet:
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
To determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
This sorts the IP addresses in a descending pattern as well as count and delivers the output to the shell.
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
They are very interesting things that you can do with powershell I invite you to continue researching more about this.