Government Security
Network Security Resources

Jump to content


Analysis Of Windows Security Logs With Ms Log Parser

- - - - - security windows xml tools
  • Please log in to reply
4 replies to this topic

#1 bspirovski



  • Sergeant Major
  • 118 posts

Posted 12 November 2009 - 01:59 PM

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!

The tool
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.

Full Story
Bozidar Spirovski

#2 webdevil


    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 12 November 2009 - 11:14 PM

The thing I liked about this is the remote connectivity in offer. It centralizes the work.

#3 bonarez


    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 13 November 2009 - 10:46 AM

powershell again..

get-eventlog is your best friend, when it was still ps v1 it was very slow, especialy when you're trying to query multiple servers from a different site..

with v2 we get things like WinRM, whitch should speed things up a bit. I haven't had the time to test remoting in v2 but I hope to get my teeth in soon..

/ > decent enough intro, for the rest just google
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#4 bawlls



  • Members
  • 8 posts

Posted 13 November 2009 - 06:15 PM

Please pardon me if I have misunderstood, as I'm far from what I would call an expert, but could one use this remotely as a very quick way of viewing potential exploits already on the victims pc?For example, by creating a script which when executed, runs the Microsoft Log Parser, followed by creating a text file with all relevant (to the the attacker :P) information?

#5 webdevil


    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 13 November 2009 - 10:20 PM

You need admin credentials for the log parser to work.
So, No. It won't work.

Also tagged with one or more of these keywords: security, windows, xml, tools