Windows 事件檢視器，自訂檢視

Windows Event Log
常用 Log Parser 查詢語法筆記

開關機紀錄

• TurnedOnTimesView-取得windows 開關機資訊

RDP 遠端桌面紀錄

• 建立自訂檢視
  ​​​​<QueryList>
  ​​​​  <Query Id="0" Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">
  ​​​​    <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(EventID=1149)]]</Select>
  ​​​​    <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(EventID=1149)]]</Select>
  ​​​​  </Query>
  ​​​​</QueryList>
  

帳號登入稽核紀錄

• 稽核登入事件
• 建立自訂檢視
  ​​​​<QueryList>
  ​​​​  <Query Id="0" Path="Security">
  ​​​​    <Select Path="Security">
  ​​​​        *[
  ​​​​            System[(EventID=4624 or EventID=4625)]
  ​​​​            and
  ​​​​        (
  ​​​​          EventData[Data[@Name='LogonType']='2']
  ​​​​          or
  ​​​​          EventData[Data[@Name='LogonType']='7']
  ​​​​          or
  ​​​​          EventData[Data[@Name='LogonType']='10']
  ​​​​        )
  ​​​​        ]
  ​​​​    </Select>
  ​​​​  </Query>
  ​​​​</QueryList>
  

SSL-VPN連線紀錄

• 建立自訂檢視
  ​​​​<QueryList>
  ​​​​  <Query Id="0" Path="Pulse Secure/Operational">
  ​​​​    <Select Path="Pulse Secure/Operational">*[System[(EventID=312 or EventID=308 or EventID=302)]]</Select>
  ​​​​  </Query>
  ​​​​</QueryList>
  

IIS 稽核紀錄

• IIS log 位置