--- tags: 主機管理 --- # Windows 事件檢視器，自訂檢視 > [Windows Event Log](https://amingosec.blog/posts/windows-event-log/) > [常用 Log Parser 查詢語法筆記](https://dog0416.blogspot.com/2019/05/log-parser-log-parser-queries-note.html) ### 開關機紀錄 * [TurnedOnTimesView-取得windows 開關機資訊](https://amingosec.blog/posts/using-turnedontimesview-to-get-windows-off-on-time/) ### RDP 遠端桌面紀錄 * 建立自訂檢視 ``` <QueryList> <Query Id="0" Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"> <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin">*[System[(EventID=1149)]]</Select> <Select Path="Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational">*[System[(EventID=1149)]]</Select> </Query> </QueryList> ``` ### 帳號登入稽核紀錄 * [稽核登入事件](https://learn.microsoft.com/zh-tw/windows/security/threat-protection/auditing/basic-audit-logon-events?source=recommendations) * 建立自訂檢視 ``` <QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[ System[(EventID=4624 or EventID=4625)] and ( EventData[Data[@Name='LogonType']='2'] or EventData[Data[@Name='LogonType']='7'] or EventData[Data[@Name='LogonType']='10'] ) ] </Select> </Query> </QueryList> ``` ### SSL-VPN連線紀錄 * 建立自訂檢視 ``` <QueryList> <Query Id="0" Path="Pulse Secure/Operational"> <Select Path="Pulse Secure/Operational">*[System[(EventID=312 or EventID=308 or EventID=302)]]</Select> </Query> </QueryList> ``` ### IIS 稽核紀錄 * [IIS log 位置](https://amingosec.blog/posts/location-of-iis-log-files/)