Logparser
Полезные ссылки
- Logparser Studio(LPS) — графическая среда для logparser
После установки Log Parser в системе регистрируется COM-компонент MSUtil.LogQuery. Он позволяет делать запросы к движку утилиты не только через вызов LogParser.exe, но и при помощи любого другого привычного языка.
Запросы
Файловая система
.\LogParser.exe "SELECT Top 20 Path, Size FROM 'C:\*.*' ORDER BY Size DESC" -i:FS
EventLog
LogType в LPS EVTLOG
Запуск в cmd. Вывод в графической среде
.\LogParser.exe file:07-UserLogon.sql -i:EVT -o:DATAGRID
Выборка Failed logon
SELECT TimeGenerated AS DATE, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP, EXTRACT_TOKEN(Strings, 6, '|') AS DOMAIN, EXTRACT_TOKEN(Strings, 10, '|') AS LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation FROM Security WHERE EventID = '4625' AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND DOMAIN NOT IN ('NT AUTHORITY') AND SourceIP <> '-' OEDER BY Username
Выборка количества удачных и неудачных входов
SELECT EXTRACT_TOKEN(Strings, 5, '|') AS USER, SUM(CASE EventType WHEN 16 THEN 1 ELSE 0 END) AS Failed, SUM(CASE EventType WHEN 8 THEN 1 ELSE 0 END) AS Success, COUNT(*) AS Total FROM Security WHERE ( EventID = '4625' OR EventID = '4624') AND User<>'' AND USER NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') GROUP BY USER ORDER BY Total DESC
Использование logparser, как COM объект MSUtil.LogQuery
$LogQuery = New-Object -ComObject "MSUtil.LogQuery" $InputFormat = New-Object -ComObject "MSUtil.LogQuery.FileSystemInputFormat" $InputFormat.Recurse = -1 $OutputFormat = New-Object -ComObject "MSUtil.LogQuery.CSVOutputFormat" $SQLQuery = "SELECT Top 20 Path, Size INTO '%temp%\output.csv' FROM 'C:\*.*' ORDER BY Size DESC" $LogQuery.ExecuteBatch($SQLQuery, $InputFormat, $OutputFormat) $CSV = Import-Csv $env:TEMP'\output.csv' $CSV | fl Remove-Item $env:TEMP'\output.csv' $LogQuery=$null $InputFormat=$null $OutputFormat=$null