LogParser and Powershell- LOGPOWER
I was going through my last post, where I have shared log parser queries to analyze data using log parser tool. Good news is ,if you are familiar with power shell then life becomes even more exciting and easy ,so all the queries I have shown there you can use them with power shell as below
Pre-requisites following wont make much sense if you haven't gone through my previous post on logparser, so before you proceed any further, I recommend you to read that post first.
You can see I have a function below, where you can pass input file path along with file name, output file path and file name where you want to store the output or result. You also pass on the event id as parameter here as well as the logon type. Following example is for event id's 4624 and 4625.
You can build your Log_queries as below and automate this process. Why following example is only for 4624 and 4625, because you will notice the string field values vary for each event id, so the extract token for other event values may give you different values for different positions within the string field of the event. I have even notice variations in 4624 and 4625 positions in the string field.
Again, following is an example to show case that you can change the Log_query variable as per the event id. I have also given function call example below to explain how you can call this function with different values.
function log_power($inFilePath,$outFilePath,$eventid,$logontype)
{
$Log_query= @"
SELECT distinct extract_token(strings, 5, '|') AS account,extract_token(strings, 8, '|') AS logontype,extract_token(strings,18, '|') as source_ip,extract_token(strings, 11, '|') as computer,Timegenerated as Time INTO $outFilePath
FROM $inFilePath where EventId = $eventid and extract_token(strings, 8, '|')= '$logontype'
"@
& C:\Logparser\Logparser.exe $Log_query -i:evt -o:csv
}
log_power -inFilePath 'drive:\pathofLogs\security.evt' -outFilePath 'drive:\pathofLogs\outputfile.csv' -eventid 4624 -logontype 3
so after you make the function call log parser will put the parsed output at the outfile location. If needed I can add Log_query string for other event ids ,if I see that users are not able to use the Log_query variable with strings field effectively.
In my upcoming posts I will also share few Power shell utilities and tools I have created to ease the work a little bit. Meanwhile play with above if you haven't done this before.
Have fun with this new combination.
Reference : I thought of sharing the string positions for 4625 and 4624 below , which will help in building the queries to get the precise information
String position information for 4625 event
| String Position | What it gives us |
| 3 | Account SID |
| 5 | Account |
| 10 | Logon type e.g. 3 for network logon |
| 11 | Security support provider/auth provider e.g . NtLmSsp |
| 12 | Auth Method e.g. NTLM |
| 18 | Process name |
| 19 | Source IP |
String position information for 4624 event
| String Position | What it gives us |
| 4 | Account SID |
| 5 | Account |
| 6 | Domain |
| 8 | Logon type e.g. 3 for network logon |
| 10 | Auth Method |
| 11 | computer name |
| 17 | Process name |
| 18 | Source IP |
I will also add String positions for other events either here or in new post.
String Position for event ID 4648 : event that's generated when explicit credentials are used.
| String Position | What it gives us |
| 2 | base account |
| 3 | base domain |
| 6 | explicit account |
| 7 | explicit domain |
| 9 | target server |
| 11 | Process name |