윈도우 이벤트 로그 분석-Visual Basic Script(vbs)
사용 예제
eventquery.vbs
1. cmdlib.wsc 등록
cmdlib.wsc는 Windows 용 WSC 파일로 Microsoft가 개발했으며 Windows Script Component 파일입니다.
F:\script\vbs>regsvr32 cmdlib.wsc /s
2. 도움말
F:\script\vbs>cscript eventquery.vbs /?
Microsoft (R) Windows Script Host 버전 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
EVENTQUERY.vbs [/S system [/U username [/P password]]] [/FI filter]
[/FO format] [/R range] [/NH] [/V] [/L logname | *]
Description:
The EVENTQUERY.vbs script enables an administrator to list
the events and event properties from one or more event logs.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which the command should execute.
/P password Specifies the password for the given user context.
/V Specifies that the detailed information should be displayed in the output.
/FI filter Specifies the types of events to filter in or out of the query.
/FO format Specifies the format in which the output is to be displayed.
Valid formats are "TABLE", "LIST", "CSV".
/R range Specifies the range of events to list. Valid Values are:
'N' - Lists 'N' most recent events.
'-N' - Lists 'N' oldest events.
'N1-N2' - Lists the events N1 to N2.
/NH Specifies that the "Column Header" should not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/L logname Specifies the log(s) to query.
/? Displays this help/usage.
Valid Filters Operators allowed Valid Values
------------- ------------------ ------------
DATETIME eq,ne,ge,le,gt,lt mm/dd/yy(yyyy),hh:mm:ssAM(/PM)
TYPE eq,ne ERROR, INFORMATION, WARNING, SUCCESSAUDIT, FAILUREAUDIT
ID eq,ne,ge,le,gt,lt non-negative integer
USER eq,ne string
COMPUTER eq,ne string
SOURCE eq,ne string
CATEGORY eq,ne string
NOTE: Filter "DATETIME" can be specified as "FromDate-ToDate" Only "eq" operator can be used for this format.
Examples:
EVENTQUERY.vbs
EVENTQUERY.vbs /L system
EVENTQUERY.vbs /S system /U user /P password /V /L *
EVENTQUERY.vbs /R 10 /L Application /NH
EVENTQUERY.vbs /R -10 /FO LIST /L Security
EVENTQUERY.vbs /R 5-10 /L "DNS Server"
EVENTQUERY.vbs /FI "Type eq Error" /L Application
EVENTQUERY.vbs /L Application
/FI "Datetime eq 06/25/00,03:15:00AM-06/25/00,03:15:00PM"
EVENTQUERY.vbs /FI "Datetime gt 08/03/00,06:20:00PM"
/FI "Id gt 700" /FI "Type eq warning" /L System
EVENTQUERY.vbs /FI "Type eq error OR Id gt 1000 "
3. 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L security | more
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
Type Event Date Time Source ComputerName
------------- ------ ------------------------ ----------------- --------------
감사 성공 4672 2020-03-03 오전 2:03:57 Microsoft-Windows chohb
감사 성공 4624 2020-03-03 오전 2:03:57 Microsoft-Windows chohb
감사 성공 4672 2020-03-03 오전 1:57:02 Microsoft-Windows chohb
......
리스트 형태 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
Type: 감사 성공
Event: 4672
Date Time: 2020-03-03 오전 2:03:57
Source: Microsoft-Windows-Security-Auditing
ComputerName: chohb
Type: 감사 성공
Event: 4624
Date Time: 2020-03-03 오전 2:03:57
Source: Microsoft-Windows-Security-Auditing
ComputerName: chohb
......
특정 이벤트ID 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list /Fi "id eq 4624"
이벤트 상세 내역 조회 : /V
F:\script\vbs>cscript eventquery.vbs /L Security /Fi "id eq 4624" /FO list /V
General VBS
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Set wshNetwork = WScript.CreateObject("WScript.Network")
strComputer = wshNetwork.ComputerName
'strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security' and EventCode='489'"
strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security'"
WScript.StdOut.WriteLine ""
WScript.StdOut.WriteLine "====================================="
WScript.StdOut.WriteLine "COMPUTER : " & strComputer
WScript.StdOut.WriteLine "CLASS : ROOT\CIMV2:Win32_NTLogEvent"
WScript.StdOut.WriteLine "QUERY : " & strQuery
WScript.StdOut.WriteLine "====================================="
WScript.StdOut.WriteLine ""
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\ROOT\CIMV2")
Set colItems = objWMIService.ExecQuery(strQuery, "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem in colItems
WScript.StdOut.WriteLine "Category: " & objItem.Category
WScript.StdOut.WriteLine "CategoryString: " & objItem.CategoryString
WScript.StdOut.WriteLine "ComputerName: " & objItem.ComputerName
strData = Join(objItem.Data, ",")
WScript.StdOut.WriteLine "Data: " & strData
WScript.StdOut.WriteLine "EventCode: " & objItem.EventCode
WScript.StdOut.WriteLine "EventIdentifier: " & objItem.EventIdentifier
WScript.StdOut.WriteLine "EventType: " & objItem.EventType
strInsertionStrings = Join(objItem.InsertionStrings, ",")
WScript.StdOut.WriteLine "InsertionStrings: " & strInsertionStrings
WScript.StdOut.WriteLine "Logfile: " & objItem.Logfile
WScript.StdOut.WriteLine "Message: " & objItem.Message
WScript.StdOut.WriteLine "RecordNumber: " & objItem.RecordNumber
WScript.StdOut.WriteLine "SourceName: " & objItem.SourceName
WScript.StdOut.WriteLine "TimeGenerated: " & objItem.TimeGenerated
WScript.StdOut.WriteLine "TimeWritten: " & objItem.TimeWritten
WScript.StdOut.WriteLine "Type: " & objItem.Type
WScript.StdOut.WriteLine "User: " & objItem.User
WScript.StdOut.WriteLine ""
Next
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
| 윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
|---|---|
| 윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 (0) | 2020.03.03 |
