LogParser - 事件日志数据值替换

发布于 2024-10-26 17:14:12 字数 944 浏览 5 评论 0原文

我不是一个脚本专家,我有一个小要求,需要分析防火墙流量的 Windows 安全事件日志。

为此,我开始研究 LogParser,它似乎几乎可以完成我需要的所有操作,但我在解决如何将从日志中提取的某些值替换为更具可读性的内容时遇到了一些麻烦。

我的脚本非常简单:

SELECT
TimeGenerated AS Time,
EventTypeName AS Event,
EXTRACT_TOKEN(Strings, 0,'|') AS ProcessID,
EXTRACT_TOKEN(Strings, 1,'|') AS Process,
EXTRACT_TOKEN(Strings, 7,'|') AS Protocol,
EXTRACT_TOKEN(Strings, 2,'|') AS Direction,
EXTRACT_TOKEN(Strings, 3,'|') AS SourceAddress,
EXTRACT_TOKEN(Strings, 4,'|') AS SourcePort,
EXTRACT_TOKEN(Strings, 5,'|') AS DestinationAddress,
EXTRACT_TOKEN(Strings, 6,'|') AS DestinationPort
FROM Security
WHERE EventID IN (5152; 5153; 5154; 5155; 5156; 5157; 5158)

虽然这会产生我感兴趣的信息,但如果可能的话,我想更改输出。例如,“进程”列输出为:

\device\harddiskvolume2\apps\mozilla\fx-4\firefox.exe

我真正想要的是只显示进程名称,而不显示路径。同样,“协议”列仅显示数字协议值。我更喜欢让它显示“实际”协议。

最后,“方向”列显示数值 %%14592 和 %%14593,我希望分别看到“入”和“出”。

如果有人可以提供帮助,我将不胜感激。

谢谢

I'm not much of a scripting wiz and I have a small requirement to analyse the Windows security Event logs for firewall traffic.

To that end I've started looking at LogParser and it seems to do pretty much everything I need, but I'm having a little trouble working out how to substitute certain values extracted from the logs, into something more readable.

My script is very simple:

SELECT
TimeGenerated AS Time,
EventTypeName AS Event,
EXTRACT_TOKEN(Strings, 0,'|') AS ProcessID,
EXTRACT_TOKEN(Strings, 1,'|') AS Process,
EXTRACT_TOKEN(Strings, 7,'|') AS Protocol,
EXTRACT_TOKEN(Strings, 2,'|') AS Direction,
EXTRACT_TOKEN(Strings, 3,'|') AS SourceAddress,
EXTRACT_TOKEN(Strings, 4,'|') AS SourcePort,
EXTRACT_TOKEN(Strings, 5,'|') AS DestinationAddress,
EXTRACT_TOKEN(Strings, 6,'|') AS DestinationPort
FROM Security
WHERE EventID IN (5152; 5153; 5154; 5155; 5156; 5157; 5158)

Although this produces the information I'm interested in, I'd like, if possible, to change the output. For exampleThe 'Process' column output is:

\device\harddiskvolume2\apps\mozilla\fx-4\firefox.exe

What I'd really like is to just display the process name, without the path. Likewise the 'Protocol' column just displays the numeric protocol value. I prefer to have it display the 'actual' protocol.

Lastly, the Direction column displays a numerical value %%14592 and %%14593 and I'd prefer to see In and Out respectively.

If anyone can help, I'd be most grateful.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

这个俗人 2024-11-02 17:14:12

对于您的文件名问题,
EXTRACT_FILENAME(EXTRACT_TOKEN(Strings, 1,'|')) AS 进程
为你工作?

对于您的其他问题,怎么样:

CASE EXTRACT_TOKEN(Strings, 2,'|') WHEN '%%14592' THEN 'IN' ELSE 'OUT' END As Direction

For your filename question, does the
EXTRACT_FILENAME(EXTRACT_TOKEN(Strings, 1,'|')) AS Process
work for you?

For your other other issue, how about:

CASE EXTRACT_TOKEN(Strings, 2,'|') WHEN '%%14592' THEN 'IN' ELSE 'OUT' END As Direction

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文