일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
- Windows Server 2016
- Nested VM
- Hyper-V
- iSCSI target
- FTP7.5
- 안철수
- nonpaged pool
- Windows Server 2008
- SQL Server 2008
- 터키여행
- Session space
- failover cluster
- 인문고전
- windbg
- Windows Server 2016 Hyper-v Cluster
- cluster node as Domain controller
- windows update
- LiveKD
- 프로세스 CPU 사용량
- windows debugging tool
- windows media service
- dsquery
- MSCS on VMWare
- paged pool
- SQL Server 2012R2 FCI
- Local TempDB
- Xperf
- 작업관리자
- 클러스터
- ftp7.5 장애조치 클러스터
- Today
- Total
류짱:Beyond MySelf
Logparser를 이용한 Event log 쿼리 방법 본문
특정 시간대에 서버에 원격 데스크탑을 이용해 로그인 한 사용자에 대한 정보를 알고 싶을 경우 보안 이벤트를확인 하면 됩니다만... 보안 이벤트가 너무 많을 경우 일일이 하나 씩 체크 하는 것이 귀찮을 수 있습니다.
그럴 경우 아래와 같이 LogParser를 이용해서 확인 하시면 됩니다.
Log Parser 2.2
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
Windows Server 2003 보안 로그에서 Event ID 528은 로그온 성공을 의미하며 Log type 10은 터미널 서비스나 원격 데스크탑을 이용해서 로그인 한 사용자를 의미 합니다. 지난 블로그 참조 (
만약 시스템이 Windows Server 2008일경우에는 event id 4624 로 쿼리를 하시면 됩니다.
[Windows Server 2003 에서 확인 방법]
C:\Program Files\Log Parser 2.2>logparser "select timegenerated, sourcename, Eventcategoryname, Message into report20110124.txt from security where eventid =528" -resolveSIDs:on
[Windows Server 2008에서 확인 방법]
C:\Program Files (x86)\Log Parser 2.2>logparser "select timegenerated, sourcename, Eventcategoryname, Message into "c:\logonsuccess.csv" from security where eventid =4624" -resolveSIDs:on
Statistics:
-----------
Elements processed: 247096
Elements output: 2065
Execution time: 63.16 seconds (00:01:3.16)
Log parser를 설치 후 아래와 같은 명령어를 입력하면 Log parser가 설치 된 디렉터리에 txt 파일로 저정할 수 있으며 별도로 디렉터리를 지정 하고 확장자도 변경 할 수 있습니다.
또한 해당 파일을 열면 아래와 같이 Log on type과 Source network address 등을 확인 할 수 있습니다.
2010-11-11 18:32:43 Security Logon/Logoff Successful Logon: User Name: test Domain: DCRYU Logon ID: (0x0,0xA035B24) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {5c1bae83-c447-acdf-1dbb-aabab6bb3130} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4868 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2512
2010-11-11 18:33:29 Security Logon/Logoff Successful Logon: User Name: test Domain: DCRYU Logon ID: (0x0,0xA053616) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {e9ca864c-6d0d-e477-3461-68d6b3edb340} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4184 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2527
2010-11-11 18:37:52 Security Logon/Logoff Successful Logon: User Name: test7 Domain: DCRYU Logon ID: (0x0,0xA0842E5) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: W2K3DC01 Logon GUID: {a47293d3-2e5b-f8b6-933f-fe7f9f482a50} Caller User Name: W2K3DC01$ Caller Domain: DCRYU Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5336 Transited Services: - Source Network Address: 192.168.1.100 Source Port: 2546
[Event log가 CSV 파일로 저장 되어 있을 경우 이벤트 로그에서 Source Network Address 만 확인 하고자 할 경우]
[로그온 유형]
Logon type |
Logon title |
Description |
2 |
Interactive |
A user logged on to this computer. |
3 |
Network |
A user or computer logged on to this computer from the network. |
4 |
Batch |
Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
5 |
Service |
A service was started by the Service Control Manager. |
7 |
Unlock |
This workstation was unlocked. |
8 |
NetworkCleartext |
A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
9 |
NewCredentials |
A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
10 |
RemoteInteractive |
A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
11 |
CachedInteractive |
A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Log Parser 2.2 and ASP.NET
http://support.microsoft.com/kb/910447
감사합니다.