Question

A shell is typically a user interface that accesses the tools behind the GUI of an operating system. It uses a command‐line interface (CLI) rather than moving and clicking a mouse. It's called a shell because it is the layer outside the operating system's kernel. To use a CLI successfully, you have to be familiar with the proper syntax and commands.

Windows PowerShell is a proprietary Windows command‐line shell designed specifically for administrators. My favorite feature of a command shell is the ability to speed up the processes by using command‐line completion, a lifesaver for those of us who are horrible typists. In the command shell, type a few characters of a command and press the Tab key a couple of times until the item you want appears. Another feature of PowerShell is the ability to save sequences of commands that you might want to reuse in the future. This feature allows you to press the up arrow to cycle through previous commands.

PowerShell introduced the cmdlet (pronounced “command‐let”). It is a simple, single‐function command‐line tool built into the shell. A cmdlet is a specific order you give the OS to perform an action like “run this program.” There are more than 200 cmdlets that are written as a verb‐noun pair. For example, you can type the command Get‐Help , and this will give you a description of a cmdlet.

Searching logs using PowerShell has an advantage over Windows Event Viewer. You can check for events on remote computers much quicker, which is extremely valuable if you ever do server management. PowerShell will help you generate reports, and since we are all so busy, any automation can help. In Lab 9.2 , you'll use Windows PowerShell to review logs.

---

LAB 9.2 : USING WINDOWS POWERSHELL TO REVIEW LOGS

1. On a Windows system, use the Windows+R key combination to open the Run menu. Type in powershell and press Enter.
2. To get a list of event logs on the local machine, as shown in Figure 9.4 , type the following command:

   

   Figure 9.4 : Getting a list in PowerShell of available locations of logs

   Get-EventLog -List

3. To get the system log in its entirety on the local computer, type in the following command:

   Get-EventLog -LogName System

4. The Get‐EventLog command generates a massive list. To narrow down the view, you can display only the last 20 entries in the system log, as shown in Figure 9.5 , by pressing the up arrow and adding the following syntax:

   

   Figure 9.5 : Retrieving the index, time, type, source, and message of the last 20 system logs

   Get-EventLog -LogName System   ‐Newest 20

5. You can specify system log entries related to disk source, as shown in Figure 9.6 , by entering the following command:

   

   Figure 9.6 : Disk errors and warnings in system logs

   Get-EventLog -LogName System  -Source Disk

---

Windows enables most log files by default, although you might need to define what level of logging you need. Turning on verbose logging, the most detail possible should be done only during a specific event or while trying to track an active, known security incident. If you aren't careful, the volume of logs can take up many terabytes of disk space. Systems have been known to crash because well‐meaning system administrators enabled verbose logging for all systems and then forgot to disable it when troubleshooting was completed. Be sure to put a sticky note on your monitor to remind yourself to revert logging levels after you're done troubleshooting.

Great logging is about pulling out the necessary critical events and alerts from an otherwise overwhelming amount of information. The problem for most admins is not about getting enough information, but getting useful information out of an overwhelming deluge of data.

To enable a security audit policy to capture load failures in the audit logs, open an elevated Command Prompt window by right‐clicking the Cmd.exe shortcut and selecting Run As Administrator. You could also press Windows+R to open the Run box. Type cmd and then press Ctrl+Shift+Enter to run the command as an administrator. In the elevated Command Prompt window, run the following command:

Auditpol /set /Category:System /failure:enable

As you see in Figure 9.7 , you should get a success message that you are now logging all security audit logs. You will have to restart the computer for the changes to take effect.

Figure 9.7 : Elevated command prompt turning on security audit logs

After you have collected the logs you need and so you do not fill up all the storage on your asset, do not forget to run the following command:

Auditpol /set /Category:System /failure:disable

Searching logs using PowerShell has an advantage over Windows Event Viewer. You can check for events on remote computers much quicker, which is extremely valuable if you ever do server management. There is no need to physically connect to a computer to collect the logs. By using the PowerShell parameter ‐ComputerName , you can connect and pass a command to the remote computer you choose and collect the information you want. If you want to pull all system logs off the computer named PC1, you can by using the following command:

Get-EventLog -ComputerName PC1 -LogName System

One of the integral parts of understanding these logs and their access to remote regions of your network is their IP address. The Internet has run out of IPv4 addresses, and the landscape of the Internet is quickly evolving. IPv4 is the technology that allows us to connect our devices to the web with a unique, numerical IP address consisting of 4 octets separated by a decimal with no number over 255. It looks like 192.168.1.0. Sending data from one computer to another and generating logs while doing so requires an IP address on both devices.

But we are in transition. With so many applications and with the evolution of the Internet of Things (IoT), we are starting to see more and more IPv6 addresses in our logging. Google collects statistics surrounding IPv6 adoption globally, and the latest numbers indicate that more than 25 percent of Google users access their resources with IPv6. For home users and small businesses, this may take another few years to become an issue, but nearly all modern devices support this new technology.

What you will start seeing in your logs will be a logical network IPv6 address of 128 bits as opposed to the 32 bits in an IPv4 address. IPv6 is written in hexadecimal as opposed to dotted decimal, and the numbers are grouped together in eight groups of four instead of four groups of three. There are some shortening techniques. For example, if the IPv6 address has a grouping of 0000, it will display as :: . Just be aware, if you ever start to see your source address of your logs displaying 32 hexadecimal characters instead of your usual 12, something on your network is using IPv6.