Group Event Logs by Date

huangapple
go评论59阅读模式
英文:

Group Event Logs by Date

问题

使用Get-WinEvent和Group-Object来根据TimeGenerated获取类似的输出,目标是找出哪些日期具有最多的事件数量(无论是System还是Security - EventType不重要)。准备参加考试(DFIR),希望提供一个一行的帮助。之后我会自行学习和研究方法。

英文:

How can I possibly use Get-WinEvent and Group-Object the TimeGenerated to get a similar output

3540	2022-12-24
2811	2022-12-23
2088	2022-12-13
1422	2022-11-19
240   	2022-11-11

The idea is just to figure out which dates had the highest number of events (Be it System/Security - the EventType isn't important). Been prepping for an exam (DFIR) and I'd appreciate a one-liner help. I will obviously study/research the way afterwards.

答案1

得分: 2

使用group-object和sort-object(因为我的所有应用程序日志都具有相同的日期,所以我使用了System日志)。事件包含在Group属性中。

get-winevent system | group {$_.timecreated.date} | sort count -Descending

Count Name                      Group
----- ----                      -----
  390 3/20/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...
  340 1/11/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...
  334 4/28/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...

浏览所有日志需要更多操作,因为查询受到256个日志名称的限制。这花了我大约11分钟。有许多空日志的异常。

get-winevent -listlog * | % { get-winevent @{logname=$_.logname} } |
  group {$_.timecreated.date} | sort count -Descending | select -first 5

Count Name                      Group
----- ----                      -----
40371 6/9/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.....
 6989 6/1/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.....
 6428 6/8/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.....
 6067 6/7/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.....
 5815 6/5/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.....
英文:

Using group-object and sort-object (all my Application logs are the same date, so I used the System log). The events are contained in the Group property.

get-winevent system | group {$_.timecreated.date} | sort count -Descending

Count Name                      Group
----- ----                      -----
  390 3/20/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...
  340 1/11/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...
  334 4/28/2023 12:00:00 AM     {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Read...

Going through all logs takes more doing, since there's a 256 logname limit to queries. It took me about 11 minutes. There's a lot of exceptions for empty logs.

get-winevent -listlog * | % { get-winevent @{logname=$_.logname} } |
  group {$_.timecreated.date} | sort count -Descending | select -first 5

Count Name                      Group
----- ----                      -----
40371 6/9/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader....
 6989 6/1/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader....
 6428 6/8/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader....
 6067 6/7/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader....
 5815 6/5/2023 12:00:00 AM      {System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader.EventLogRecord, System.Diagnostics.Eventing.Reader....

huangapple
  • 本文由 发表于 2023年6月8日 22:15:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76432788.html
  • powershell
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定