我正在尝试解析几百个尚未使用SNARE,NXLOG或ADISCON格式化的Windows事件日志(我不确定它们如何将它们运送到Syslog Server)。
我遇到的问题是确定通过多行,多标签的Windows事件文件解析的最佳/最有效方法。我没有相应的EVTX文件(这只是一个日志文件)。
我的目标是将每个事件放到一行,没有标签上,这样我就可以使用GREP和AWK更轻松地解析它。
tr -d "nr" < windows.log
在一行上获取所有内容(删除newlines),现在我需要剥离选项卡(比新行重要),并找出一种在" 1月14日" IS之前每次添加新行的方法看到。
可能有一种更好的方法来使用Python,Perl或Powershell,但是我在那里的经验有限。
示例日志文件:
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159648 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.
Subject:
Security ID: S-1-5-21-3015042641-2194367929-112691256-2051
Account Name: SVCACCT
Account Domain: MYDOMAIN
Logon ID: 0xD7FC64F5
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159649 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.
Subject:
Security ID: S-1-5-21-3015042641-2194367929-112691256-12106
Account Name: SVCACCT2
Account Domain: MYDOMAIN
Logon ID: 0xD7FC600A
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
示例日志文件凝结:
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159648 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off. Subject: Security ID: S-1-5-21-3015042641-2194367929-112691256-2051 Account Name: SVCACCT Account Domain: MYDOMAIN Logon ID: 0xD7FC64F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159648 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off. Subject: Security ID: S-1-5-21-3015042641-2194367929-112691256-2051 Account Name: SVCACCT2 Account Domain: MYDOMAIN Logon ID: 0xD7FC64F5 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
首先,我们删除所有控制字符。然后,我们搜索" 1月14日",然后在它之前添加新线。最后,我们用-s
标志将tr
调用,该标志用单个字符代替重复字符的实例。我不太确定这有多效率,但它可能会让您入门。
tr -d "[:cntrl:]" < windows.log | sed 's/Jan 14/'$'n&/g' | tr -s " "
结果
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159648 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.Subject: Security ID: S-1-5-21-3015042641-2194367929-112691256-2051 Account Name: SVCACCT Account Domain: MYDOMAIN Logon ID: 0xD7FC64F5Logon Type: 3This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159649 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.Subject: Security ID: S-1-5-21-3015042641-2194367929-112691256-12106 Account Name: SVCACCT2 Account Domain: MYDOMAIN Logon ID: 0xD7FC600ALogon Type: 3This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
,而不是试图将每个记录挤压到1行,然后尝试分析它,而只需将每个12行块作为单个记录处理。例如:
$ cat tst.awk
{
gsub(/r/,"")
gsub(/^[[:space:]]+|[[:space:]]+$/,"")
lineNr = (NR - 1) % 12 + 1
}
lineNr == 1 {
f["hd"] = $0
}
lineNr ~ /[45679]/ {
tag = val = $0
sub(/:.*/,"",tag)
sub(/[^:]+:[[:space:]]*/,"",val)
f[tag] = val
}
lineNr == 11 {
f["tl"] = $0
for (tag in f) {
print tag, "=", f[tag]
}
print "-------"
}
。
$ awk -f tst.awk file
tl = This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Logon ID = 0xD7FC64F5
Logon Type = 3
Account Name = SVCACCT
Security ID = S-1-5-21-3015042641-2194367929-112691256-2051
hd = Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159648 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.
Account Domain = MYDOMAIN
-------
tl = This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Logon ID = 0xD7FC600A
Logon Type = 3
Account Name = SVCACCT2
Security ID = S-1-5-21-3015042641-2194367929-112691256-12106
hd = Jan 14 00:00:02 server.host.com MSWinEventLog 5 Security 22159649 Sun Jan 13 23:59:35 2019 4634 Microsoft-Windows-Security-Auditing N/A Audit Success server.host.com 12545 An account was logged off.
Account Domain = MYDOMAIN
-------
使用该方法,您可以简单地通过其名称引用打印或分析的每个字段。您可以将上面扩展到第一行上的所有单独字段中,将所有单独的字段映射到单独的标签/值中,例如
lineNr==1 {
f["timestamp"] = $1 " " $2 " " $3
...
}
或具有正则匹配或任何有意义的任何条件匹配。一旦您[完成了上述操作,就可以在其余的脚本中分析或打印任何您喜欢的东西变得绝对微不足道。