Log Processing Tools. PS Tools Suite. PSTools Suite. PSTools Suite



Similar documents
Guide to Computer Forensics and Investigations, Second Edition

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Matisse Installation Guide for MS Windows. 10th Edition

Collecting Windows Security Audit Log data with NXLog and Sysmon. Collecting Windows Security Audit Log data with NXLog and Sysmon

Log Management and Intrusion Detection

Matisse Installation Guide for MS Windows

How To Upgrade A Websense Log Server On A Windows 7.6 On A Powerbook (Windows) On A Thumbdrive Or Ipad (Windows 7.5) On An Ubuntu (Windows 8) Or Windows

How To - Implement Clientless Single Sign On Authentication with Active Directory

How To Use The Correlog With The Cpl Powerpoint Powerpoint Cpl.Org Powerpoint.Org (Powerpoint) Powerpoint (Powerplst) And Powerpoint 2 (Powerstation) (Powerpoints) (Operations

Volume SYSLOG JUNCTION. User s Guide. User s Guide

This document describes the installation of the Web Server for Bosch Recording Station 8.10.

DiskPulse DISK CHANGE MONITOR

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

THUM - Temperature Humidity USB Monitor

Tufts VPN Client User Guide for Windows

Adding a DNS Update Step to a Recovery Plan VMware vcenter Site Recovery Manager 4.0 and later

MAS 500 Intelligence Tips and Tricks Booklet Vol. 1

Comprehensive List of XenDesktop Event Log Entries

Yale Software Library

Security Correlation Server Quick Installation Guide

WINDOWS PROCESSES AND SERVICES

Introduction to PsPing - a new Microsoft Windows tool for measuring network performance. Bartek Gajda gajda@man.poznan.pl

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

WhatsUp Gold v16.3 Installation and Configuration Guide

Guardium7: Windows Event Log Capture All files needed for this exercise are in the TSE FTP Folder : Run script: read_events.pl:

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

KB Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available

FTP, IIS, and Firewall Reference and Troubleshooting

Lab 14A: Using Task Manager and Event Viewer

Network Event Viewer now supports real-time monitoring enabling system administrators to be notified immediately when critical events are logged.

McAfee One Time Password

Windows PowerShell Cookbook

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

Automated Windows Event Log Forensics

OV Operations for Windows 7.x

Troubleshooting Guide

4cast Client Specification and Installation

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide

Integrating VoltDB with Hadoop

Active Network Monitor

Tips and Tricks SAGE ACCPAC INTELLIGENCE

Forensics II. Android reverse engineering Logs [repetition]

Pcounter Web Report 3.x Installation Guide - v Pcounter Web Report Installation Guide Version 3.4

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

BlackBerry Enterprise Server Resource Kit

VX Search File Search Solution. VX Search FILE SEARCH SOLUTION. User Manual. Version 8.2. Jan Flexense Ltd.

Virtual CD v10. Network Management Server Manual. H+H Software GmbH

Resources You can find more resources for Sync & Save at our support site:

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Nagios XI Monitoring Windows Using WMI

Nexio Connectus with Nexio G-Scribe

Database Administration with MySQL

XMap 7 Administration Guide. Last updated on 12/13/2009

RTI Database Integration Service. Getting Started Guide

DataLogger Kepware, Inc.

CounterPoint SQL and Magento ecommerce Interface

Web Application Vulnerability Testing with Nessus

Global Image Management System For epad-vision. User Manual Version 1.10

Jet Data Manager 2012 User Guide

Microsoft XP Professional Remote Desktop Connection

Digital Forensic Tool for Decision Making in Computer Security Domain

WhatsUp Event Analyst v10.x Quick Setup Guide

Windows Vulnerability Assessment

Propalms TSE Quickstart Guide

Pearl Echo Installation Checklist

Spector 360 Deployment Guide. Version 7

SMART Sync Windows operating systems. System administrator s guide

Contents CHAPTER 1 IMail Utilities

RSA Security Analytics

ILTA HANDS ON Securing Windows 7

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

etrust Audit irecorder Reference Guide for Microsoft NT Event Log 1.5 SP2

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

WhatsUp Gold v16.1 Installation and Configuration Guide

Using Process Monitor

User manual of the Work Examiner Contents

Secure FTP Server. User's Guide. GlobalSCAPE

HP A-IMC Firewall Manager

Activity 1: Scanning with Windows Defender

Project management integrated into Outlook

Using RADIUS Agent for Transparent User Identification

Paxera Uploader Basic Troubleshooting

AdminToys Suite. Installation & Setup Guide

Installing GFI LANguard Network Security Scanner

Use Enterprise SSO as the Credential Server for Protected Sites

FILE TRANSFER PROTOCOL (FTP) SITE

Database Migration and Management Guide v15.0

11.1. Performance Monitoring

qliqdirect Active Directory Guide

Sysax Multi Server User manual

Security Correlation Server Quick Installation Guide

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

Installation Guide: Delta Module Manager Launcher

SysPatrol - Server Security Monitor

Centralized Auditing in Windows Derek Melber

CUSTOMER Installing SAP Afaria

WhatsUp Gold v16.0 Database Migration and Management Guide Learn how to migrate a WhatsUp Gold database from Microsoft SQL Server 2005 Express

Terminal Services Tools and Settings - Terminal Services: %PRODUCT%

Transcription:

Log Processing Tools Dr. Guillermo A Francia, III Jacksonville State University PS Tools Suite Developed by Mark Russinovich and Dave Solomon of SysInternals A collection of tools for viewing the detailed information about processes Good news: great tools for Sysadmins Worst news: hackers thrive with them Works on Windows NT, Windows 2000, Windows XP and Windows Server 2003 PSTools Suite PsExec - execute processes remotely PsFile - shows files opened remotely PsGetSid - display the SID of a computer or a user PsInfo - list information about a system PsKill - kill processes by name or process ID PsList - list detailed information about processes PSTools Suite PsLoggedOn - see who's logged on locally and via resource sharing PsLogList - dump event log records PsPasswd - changes account passwords PsService - view and control services PsShutdown - shuts down and optionally reboots a computer PsSuspend - suspends processes 1

PSExec PsExec is a utility that lets you execute processes on other systems, complete with full interactivity Usage: psexec [\\computer[,computer[,..] @file ][-u user [-p psswd]][-n s][-l][-s -e][-i][-x][-c [-f v]][-d][-w directory][-<priority>][-a n,n,...] cmd [arguments] PSExec Computer -- Direct PsExec to run the application on the computer or computers specified. A computer name of "\\*" PsExec runs the applications on all computers in the current domain. @file -- Directs PsExec to run the command on each computer listed in the text file specified. -c -- Copy the specified program to the remote system for execution. -d -- Don't wait for application to terminate. -f -- Copy the specified program to the remote system even if the file already exists on the remote system. -I -- Run the program so that it interacts with the desktop on the remote system. PSExec -n -- Specifies timeout in seconds connecting to remote computers. -p -- Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. -s -- Run remote process in the System account. -u -- Specifies optional user name for login to remote computer. -v -- Copy the specified file only if it has a higher version number or is newer on than the one on the remote system. PSExec -priority -- Specifies -low, -belownormal, -abovenormal, -high or -realtime to run Program --Name of the program to execute. Arguments -- Arguments to pass You can enclose applications that have spaces in their name with quotation marks e.g. "psexec \\gfrancia c:\long name\app.exe". Input is only passed to the remote system when you press the enter key, and typing Ctrl-C terminates the remote process. 2

PSExec Examples Launch a command console psexec \\RemoteComp cmd Execute ipconfig on the remote system with the /all switch psexec \\RemoteComp ipconfig /all Copy the program test.exe to the remote system and execute it interactively: psexec \\RemoteComp -c test.exe PSExec Examples Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys: psexec -i -d -s c:\windows\regedit.exe Run Internet Explorer with limited-user privileges: psexec -l -d "c:\program files\internet explorer\iexplore.exe" PSLogList PsLogList is a utility that shows the contents of the System Event Log on the local computer in a userfriendly format. Command line options let you view logs on different computers, use a different account to view a log, or to have the output formatted in a stringsearch friendly way. Usage: psloglist [-?] [\\computer[,computer[,...] @file [-u username [-p password]]] [-s [-t delimiter]] [-m # -n # h # -d # -w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog> PSLogList Options @fileexecute the command on each of the computers listed in the file. -a Dump records timestamped after specified date. -b Dump records timestamped before specified date. -c Clear the event log after displaying. -d Only display records from previous n days. 3

PSLogList Options -e Exclude events with the specified ID or IDs (up to 10). -f Filter event types with filter string (e.g. "-f w" to filter warnings). -g Export an event log as an evt file. This can only be used with the -c switch (clear log). -h Only display records from previous n hours. PSLogList Options -l Dump records from the specified event log file. -m Only display records from previous n minutes. -n Only display the number of most recent entries specified. -o Show only records from the specified event source (e.g. \"-o cdrom\"). -p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. PSLogList Options -q Omit records from the specified event source or sources (e.g. \"-o cdrom\"). -r Dump log from least recent to most recent. -s This switch has PsLogList print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches, e.g. psloglist findstr /i text, and for importing the output into a spreadsheet. -t The default delimeter is a comma, but can be overriden with the specified character. PSLogList Options -u Specifies optional user name for login to remote computer. -w Wait for new events, dumping them as they generate. -x Dump extended data. eventlog By default PsLogList shows the contents of the System Event Log. Specify a different event log by typing in the first few letters of the log name, application, system, or security. 4

PSLogList Examples Log Parser A Microsoft tool that provides universal query access to log files, XML files, CSV files, and key system resources such as the event logs, the registry, the file system, and Active Directory Its output can be formatted into text delimited, grid data, or a chart. It is a free utility and can be downloaded from: http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx Log Parser Examples Log Parser Examples LogParser "SELECT TimeGenerated, EventTypeName INTO report.txt FROM Security WHERE EventID = 528 or EventID=529 SELECT TO_DATE(LastWriteTime) as LastWriteDate, COUNT(*) as WriteFrequency INTO FROM C:\\TempChart.gif C:/Temp/*.* GROUP BY LastWriteDate 5

Log Parser Examples Log Parser Examples SELECT Path, count(*) as [Keys Modified] INTO C:\\TempChart.gif FROM HKLM\\SOFTWARE WHERE LastWriteTime >= SUB(SYSTEM_TIMESTAMP( ), TIMESTAMP('0000-01-02','yyyy-MM-dd')) GROUP BY Path SELECT StatusCode, Count(*) as [Status Code Count] INTO C:\\TempChart.gif FROM C:\\temp\\access2.log GROUP BY StatusCode ORDER BY StatusCode Log Parser Architecture Log Parser Input Format Three components: Input Formats are generic record providers; records are equivalent to rows in a SQL table. A SQL-Like Engine Core processes the records generated by an Input Format, using a dialect of the SQL language. Output Formats are generic consumers of records; they can be thought of as SQL tables that receive the results of the data processing. IIS log files (W3C, IIS, NCSA, Centralized Binary Logs, HTTP Error logs, URLScan logs, ODBC logs) Windows Event Log Generic XML, CSV, TSV and W3C - formatted text files (e.g. Exchange Tracking log files, Personal Firewall log files, Windows Media Services log files, FTP log files, SMTP log files, etc.) Windows Registry Active Directory Objects File and Directory information NetMon.cap capture files Extended/Combined NCSA log files ETW traces Custom plugins (through a public COM interface) 6

Log Parser SQL-like Engine Core Processes the SQL-like language that includes common SQL clauses (SELECT, WHERE, GROUP BY, HAVING, ORDER BY), aggregate functions (SUM, COUNT, AVG, MAX, MIN), and a rich set of functions (e.g. SUBSTR, CASE, COALESCE, REVERSEDNS, etc.); Log Parser Output Formats Write data to text files in different formats (CSV, TSV, XML, W3C, userdefined, etc.) Send data to a SQL database Send data to a SYSLOG server Create charts and save them in either GIF or JPG image files Display data to the console or to the screen Input Format Fields and Data Types Data Types Supported Integer Real String Timestamp The EVT Input Format To determine the input format of Windows Event type (EVT): C:\>LogParser -h -i:evt Fields: EventLog (S) TimeGenerated (T) EventID (I) EventTypeName (S) EventCategoryName (S) Strings (S) RecordNumber (I) TimeWritten (T) EventType (I) EventCategory (I) SourceName (S) ComputerName (S) SID (S) Message (S) Data (S) 7

Log Parser Basic Query LogParser -i:evt -o:nat "SELECT * FROM System" Log Parser Basic Query LogParser -i:evt -o:nat "SELECT * INTO Sample.txt FROM System" -i:evt input format is Windows Event log -o:nat output format is tabulated values Select * * is a wildcard indicating all fields From System input data coming from System event log Sample.txt specified output file Log Parser Basic Query Calling LogParser from a C# Program More sample queries: SELECT * FROM SecurityWHERE Message LIKE '%logon%' SELECT * FROM SecurityWHERE EventID IN (547; 541; 540; 528) SELECT * FROM SecurityWHERE EventID BETWEEN 528 AND 547 LogParser -i:fs -o:nat "SELECT Path, Size FROM C:\MyDirectory\*.* ORDER BY Size" LogParser -i:fs -o:nat "SELECT Path, Size FROM C:\MyDirectory\*.* ORDER BY Size DESC" Process myproc = new Process(); myproc.startinfo.filename = "Logparser.exe"; myproc.startinfo.arguments = " -i:evt file:c:\\logon.sql"; myproc.startinfo.workingdirectory = "C:\\Program Files\\Log Parser 2.2"; myproc.start(); myproc.waitforexit(); myproc.close(); 8

The Logon.sql File SELECT SID, EventTypeName, EventCategoryName, COUNT(*) as TotalLogons INTO "C:\\junk.txt" FROM Security WHERE EventID BETWEEN 528 AND 547 Group by SID, EventTypeName, EventCategoryName Order by TotalLogons DESC 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information