转自:TR博客
This week at work I was asked to find why a specific account was constantly being locked out. Sounds pretty easy eh. Well the thing is, this was a service account and I have quite a lot of DC's where this could be happening from.
I did a little research on my favorite site www.ultimatewindowssecurity.com and ran a few tests to make sure I new what I was looking for and I set about getting the remote logs to my site so I could perform some analysis.
I started out with Dumpevt from Somarsoft. I could just grab a single event log using the following:
dumpevt.exe /computer=SERVER01 /logfile=sec /outdir=c:\Temp\Dump /all
But then I figured that I really needed to automate the retrieval of the logs so I threw in a FOR loop to go through a list of servers:
FOR /f %i in (c:\servers.txt) do @dumpevt.exe /computer=%i /logfile=sec /outfile=c:\Temp\Dump\%i-SecLog-%random% /all
As I sat back and waited...and waited .....and waited I figured that this probably wasn't the most efficient use of time or bandwidth as the logs were all over 250MB in size. I took the logs I had so far and opened them in Mandiant's excellent tool Highlighter. Well that's when I hit my second problem. Highlighter took absolutely ages to open the logs using my measly 512MB of RAM.
So I needed a way to parse the logs on the server and return just the events of interest. I then turned to the Microsoft tool EventComb. This tool is allowed me to search through a list of servers for just the events I needed. It had predefined searches in that could be useful. Eventcomb also allowed me to set the amount of threads I wanted to run and allowed me to search through events within a specific date range. The events were then output from each server to individual text files which allowed me to search through them easily with highlighter.
Whilst I was having all this fun I also wrote a few scripts in log parser for fun. Here's a couple of the scripts I put together in LogParser and the commandline to run them:
LogParser.exe file:logon-failure.sql -i:EVT -o:datagrid
------------logonfailure.sql--------
Select
ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName,
extract_token(strings, 1, '|') AS ComputerName,
extract_token(strings, 0, '|') AS User,
extract_token(strings, 2, '|') AS Logon_Type,
extract_token(Message, 0, ':') AS Message,
extract_token(Message, 2, ':') AS Reason
FROM \\Server01\Security
WHERE EventID IN (
529)
--------------end--------------------
And for the account lockouts here's an example of throwing the script into a loop that I could just cut and paste onto the commandline to output the results from multiple servers into a csv file:
FOR /f %i in (c:\servers.txt) do @LogParser.exe -i:EVT -o:csv -headers:auto -Filemode:0 "Select ComputerName, Timegenerated AS LogonTme, EventID, EventType, EventCategoryName, extract_token(strings, 1, '|') AS ComputerName, extract_token(strings, 0, '|') AS User INTO C:\failedlogons-%random%.csv FROM \\%i\Security WHERE EventID IN (644)"
My conclusion from this was whilst I really like LogParser it does take a while to get it tuned to find exactly what I wanted. However, it is an extremely flexible tool for searching many different types of logs and if you get the Syngress book there is a great example of creating an IDS tool with LogParser. The benefit of LogPaser is that it can be scripted to run regularly as a scheduled task for arching those events you might be interested in.
EventComb was easy to use, let me save my searches for reuse later and used along with Highlighter proved to be just what I needed to get to the detail very quickly and resolve my problem.
Resources
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
http://www.systemtools.com/somarsoft/
http://www.mandiant.com/software/highlighter.htm
http://support.microsoft.com/kb/308471
http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx
原创文章如转载,请注明:转载自心动吧黑客BLOG [ http://www.abcxd.com/abcxd/ ]
本文链接地址:http://www.abcxd.com/abcxd/abcxdArticle/qtoday/WindowsEventlog.html