Logparser를 이용한 Event log 쿼리 방법

특정 시간대에 서버에 원격 데스크탑을 이용해 로그인 한 사용자에 대한 정보를 알고 싶을 경우 보안 이벤트를확인 하면 됩니다만...  보안 이벤트가 너무 많을 경우 일일이 하나 씩 체크 하는 것이 귀찮을 수 있습니다.
그럴 경우 아래와 같이 LogParser를 이용해서 확인 하시면 됩니다.

Log Parser 2.2

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Windows Server 2003 보안 로그에서 Event ID 528은 로그온 성공을 의미하며 Log type 10은 터미널 서비스나 원격 데스크탑을 이용해서 로그인 한 사용자를 의미 합니다.  지난 블로그 참조 (http://ryuchan.kr/35)

만약 시스템이 Windows Server 2008일경우에는 event id 4624 로 쿼리를 하시면 됩니다.

[Windows Server 2003 에서 확인 방법]
C:\Program Files\Log Parser 2.2>logparser "select timegenerated, sourcename, Eventcategoryname, Message into report20110124.txt from security where eventid =528" -resolveSIDs:on

[Windows Server 2008에서 확인 방법]

C:\Program Files (x86)\Log Parser 2.2>logparser "select timegenerated, sourcename, Eventcategoryname, Message into "c:\logonsuccess.csv" from security where eventid =4624" -resolveSIDs:on

Statistics:
-----------
Elements processed: 247096
Elements output:    2065
Execution time:     63.16 seconds (00:01:3.16)

 

 

Log parser를 설치 후 아래와 같은 명령어를 입력하면 Log parser가 설치 된 디렉터리에 txt 파일로 저정할 수 있으며 별도로 디렉터리를 지정 하고 확장자도 변경 할 수 있습니다.

또한 해당 파일을 열면 아래와 같이 Log on type과 Source network address 등을 확인 할 수 있습니다.

 

 2010-11-11 18:32:43 Security   Logon/Logoff      Successful Logon: User Name: test Domain: DCRYU Logon ID: (0x0,0xA035B24) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {5c1bae83-c447-acdf-1dbb-aabab6bb3130} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4868 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2512 

2010-11-11 18:33:29 Security   Logon/Logoff      Successful Logon: User Name: test Domain: DCRYU Logon ID: (0x0,0xA053616) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {e9ca864c-6d0d-e477-3461-68d6b3edb340} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4184 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2527

2010-11-11 18:37:52 Security   Logon/Logoff      Successful Logon: User Name: test7 Domain: DCRYU Logon ID: (0x0,0xA0842E5) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {a47293d3-2e5b-f8b6-933f-fe7f9f482a50} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5336 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2546

[Event log가 CSV 파일로 저장 되어 있을 경우 이벤트 로그에서 Source Network Address 만 확인 하고자 할 경우]

[로그온 유형]

Logon type	Logon title	Description
2	Interactive	A user logged on to this computer.
3	Network	A user or computer logged on to this computer from the network.
4	Batch	Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5	Service	A service was started by the Service Control Manager.
7	Unlock	This workstation was unlocked.
8	NetworkCleartext	A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9	NewCredentials	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10	RemoteInteractive	A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11	CachedInteractive	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

Log Parser 2.2 and ASP.NET
http://support.microsoft.com/kb/910447

http://technet.microsoft.com/en-us/library/ee692659.aspx

감사합니다.