Simple Event Log Analysis

Event logs provide information about applications and can be modified including parameters using cdmlets characteristics that help to dump these events into specific variables or simply to identify specific dates within system registers.

The Log file analysis is an important task that allows us to get critical information about a service, an application or system. When we need to examine or when we need to research a target, it is highly recommended to dig into the logs files because, all the configurations, events, error warnings notices from a given system is stored in this files.

Step 1: Dump the event logs

The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.

If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

Get-EventLog -LogName application | Export-Clixml Applog.xml
type .\Applog.xml
$logs = "system","application","security"

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }

Step 2: Import the event log of interest

To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.

Store the results in a variable.

Let’s take a look at the commandlets Where-Object, Group-Object, and Select-Object.

The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.

$seclog = Import-Clixml security.xml
$seclog | select -Last 5

A cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

You can use ‘-after’ and ‘-before’ to filter date ranges

One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.

By default, an ordinary user does not have permission to read the security log.

Step 3: Drill into a specific entry

To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.

$seclog | select -first 1 | fl *

The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.

($seclog | select -first 1).message
(($seclog | select -first 1).message).gettype()

In the *nix world, you often want a count of something (wc -l).

How often is the security privilege mentioned in the message property?

To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure

If you want to ensure that only event log entries return that contains SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.

Use the count property to determine the total number of entries in the event log.

$seclog.Count

SIMPLE LOGFILE ANALYSIS

The Select-String  cmdlet, is the most used command to search or filter files :

Description

The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. You can type Select-String or its alias, sls.

Select-String is based on lines of text. By default, Select-String finds the first match in each line and, for each match, it displays the file name, line number, and all text in the line containing the match. However, you can direct it to detect multiple matches per line, display text before and after the match, or display only a Boolean value (True or False) that indicates whether a match is found.

Select-String uses regular expression matching, but it can also perform a simple match that searches the input for the text that you specify.

Select-String can display all of the text matches or stop after the first match in each input file. It can also display all text that does not match the specified pattern. You can also specify that Select-String should expect a particular character encoding, such as when you are searching files of Unicode text.

 

mkdir c:\ps
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=TV", "c:\ps\CiscoLogFileExamples.txt")

 

 

Select-String cmdlet:

Select where the String “192.168.208.63”:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt

Select where the String “192.168.208.63” by-line, as we can see in this example we can pipe a result to another cmdlet:

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line

To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object

To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object

Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique

To determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.

This sorts the IP addresses in a descending pattern as well as count and delivers the output to the shell.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des

 

They are very interesting things that you can do with powershell I invite you to continue researching more about this.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

 

Avatar

This post was written by Ruben Dario Caravajal Herrera