LogParser - 事件日志数据值替换
我不是一个脚本专家,我有一个小要求,需要分析防火墙流量的 Windows 安全事件日志。
为此,我开始研究 LogParser,它似乎几乎可以完成我需要的所有操作,但我在解决如何将从日志中提取的某些值替换为更具可读性的内容时遇到了一些麻烦。
我的脚本非常简单:
SELECT
TimeGenerated AS Time,
EventTypeName AS Event,
EXTRACT_TOKEN(Strings, 0,'|') AS ProcessID,
EXTRACT_TOKEN(Strings, 1,'|') AS Process,
EXTRACT_TOKEN(Strings, 7,'|') AS Protocol,
EXTRACT_TOKEN(Strings, 2,'|') AS Direction,
EXTRACT_TOKEN(Strings, 3,'|') AS SourceAddress,
EXTRACT_TOKEN(Strings, 4,'|') AS SourcePort,
EXTRACT_TOKEN(Strings, 5,'|') AS DestinationAddress,
EXTRACT_TOKEN(Strings, 6,'|') AS DestinationPort
FROM Security
WHERE EventID IN (5152; 5153; 5154; 5155; 5156; 5157; 5158)
虽然这会产生我感兴趣的信息,但如果可能的话,我想更改输出。例如,“进程”列输出为:
\device\harddiskvolume2\apps\mozilla\fx-4\firefox.exe
我真正想要的是只显示进程名称,而不显示路径。同样,“协议”列仅显示数字协议值。我更喜欢让它显示“实际”协议。
最后,“方向”列显示数值 %%14592 和 %%14593,我希望分别看到“入”和“出”。
如果有人可以提供帮助,我将不胜感激。
谢谢
I'm not much of a scripting wiz and I have a small requirement to analyse the Windows security Event logs for firewall traffic.
To that end I've started looking at LogParser and it seems to do pretty much everything I need, but I'm having a little trouble working out how to substitute certain values extracted from the logs, into something more readable.
My script is very simple:
SELECT
TimeGenerated AS Time,
EventTypeName AS Event,
EXTRACT_TOKEN(Strings, 0,'|') AS ProcessID,
EXTRACT_TOKEN(Strings, 1,'|') AS Process,
EXTRACT_TOKEN(Strings, 7,'|') AS Protocol,
EXTRACT_TOKEN(Strings, 2,'|') AS Direction,
EXTRACT_TOKEN(Strings, 3,'|') AS SourceAddress,
EXTRACT_TOKEN(Strings, 4,'|') AS SourcePort,
EXTRACT_TOKEN(Strings, 5,'|') AS DestinationAddress,
EXTRACT_TOKEN(Strings, 6,'|') AS DestinationPort
FROM Security
WHERE EventID IN (5152; 5153; 5154; 5155; 5156; 5157; 5158)
Although this produces the information I'm interested in, I'd like, if possible, to change the output. For exampleThe 'Process' column output is:
\device\harddiskvolume2\apps\mozilla\fx-4\firefox.exe
What I'd really like is to just display the process name, without the path. Likewise the 'Protocol' column just displays the numeric protocol value. I prefer to have it display the 'actual' protocol.
Lastly, the Direction column displays a numerical value %%14592 and %%14593 and I'd prefer to see In and Out respectively.
If anyone can help, I'd be most grateful.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于您的文件名问题,
EXTRACT_FILENAME(EXTRACT_TOKEN(Strings, 1,'|')) AS 进程
为你工作?
对于您的其他问题,怎么样:
CASE EXTRACT_TOKEN(Strings, 2,'|') WHEN '%%14592' THEN 'IN' ELSE 'OUT' END As Direction
For your filename question, does the
EXTRACT_FILENAME(EXTRACT_TOKEN(Strings, 1,'|')) AS Process
work for you?
For your other other issue, how about:
CASE EXTRACT_TOKEN(Strings, 2,'|') WHEN '%%14592' THEN 'IN' ELSE 'OUT' END As Direction