How to parse Windows Eventlog

I often have to work with windows log files during incident response and every time it’s a very frustrating experience. Honestly, I think Windows logging system needs a complete rework. Windows logs for the most part completely useless with their cryptic messages, thousands of undocumented events and lack of any easy interface to work with. It always baffle me why you can’t filter or search easily by most interesting fields like Account Name or Source IP in Event Viewer.

So I started to look for a solution to this problem. I wasn’t able to find anything at first and started to develop my own parser based on XML format of logs(which is a mess itself). Half way through I discovered an easier way with Powershell and Logparser.

Powershell way

Turns out powershell have Get-WinEvent cmdlet to work with event logs. However, it still doesn’t allow you to query individual fields, which is what we want. But I figured out a way to do this, which involve converting event log to xml on the fly and leverage powershell pipeline capabilities to parse it. It allows you to leverage all powershell features to work with logs, such as selecting certain fields and aggregating on values. It works and all you need to have is powershell, which is great, but the downside for this is speed – it is a slow process, especially for big files. You also can’t search easily, i.e. display all fields for a particular user.

Take a look at examples:

Logparser way

Then I discovered a tool developed by Microsoft – Logparser.

This tool is so powerful – basically it allows you to use SQL language to query information from various files like XML, CSV and EVTX. I am not sure why, but this tool was abandoned since 2005, nonetheless it still works. It also very fast, with most queries taking seconds to complete. This is what I am using to quickly answer questions like:

  • Who logged into machine?

  • What IP addresses was used for Administrator account?

  • What a specific user did?

  • What firewall rules was created?

Take a look at my examples here(I usually run those from powershell console):

Advertisements

7 comments

  1. […] Coincidently DFIR Blog has also published a post about parsing Windows Event Logs. The post showcases using both PowerShell and Logparser to obtain useful information out of Event Logs. Each method has worked examples and can be used as a sort of cheatsheet. How To Parse Windows Eventlog […]

    Like

  2. How do these techniques compare to using EVTXtract (which leverages python-evtx) or Plaso’s timeline analysis tools (i.e., plasm and psort) based on libevt?

    What about EMET failures in the event log? Would be neat to see some examples there since you mentioned it in a previous post.

    Like

    1. Those tools are basically parsers, so you need to build aggregations and filtering on top of them, unlike Logparser.

      As for EMET logs – they are written into Application log and can be queried similar to everything else – just filter on Source EMET.

      Like

  3. Inspiring knowledge about what to look for.

    There are ways to improve speed in the part where youre using PowerShell.
    Using where-object is expensive and Get-WinEvent gives you ways to filter up front like this:
    $hash = @{
    LogName = ‘Security’
    ID = 4624
    StartTime = (Get-Date).AddDays(-1)
    }

    $event = Get-WinEvent -FilterHashtable $hash |select -first 1

    Theres also a “Properties” property on the[System.Diagnostics.Eventing.Reader.EventLogRecord] objects you retreive, that let you approach the data you’re looking for:
    $event.Properties[5]
    $event.Properties[6]
    $event.Properties[10]
    ..

    Like

    1. Thanks for your comment.

      Didn’t know about .NET API for Eventlog, gonna check it out.

      Like

  4. apraestegaard · · Reply

    Your welcome.
    Btw: To get the value I should have pointet out, that you need to do the following to get af string-value rather than an object;
    $event.Properties[5].Value

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: