윈도우 이벤트 로그 분석-WMI

Win32_NTLogEvent class

f:\temp>wmic ntevent /?
NTEVENT - NT 이벤트 로그에 있는 항목입니다.
힌트: 별칭 사용의 BNF입니다. 
(<별칭> [WMIObject] | <별칭> [<경로>] | [<별칭>] <경로>) [<동사 절>]

사용법:
NTEVENT ASSOC [<형식 지정자>]
NTEVENT CREATE <할당 목록>
NTEVENT DELETE
NTEVENT GET [<속성 목록>] []
NTEVENT LIST [<목록 형식>] [<목록 스위치>]

표시할 수 있는 항목
f:\temp>wmic ntevent list /?
속성 목록 작업입니다.

사용법:
LIST [<목록 형식>] [<목록 스위치>]

다음과 같은 LIST 형식을 사용할 수 있습니다.
BRIEF   - EventIdentifier, TypeEvent, Message, RecordNumber, SourceName, TimeGenerated
FULL    - Category, CategoryString, ComputerName, Data, EventCode, EventIdentifier, TypeEvent, InsertionStrings, 
            LogFile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, UserName

다음과 같은 LIST 스위치를 사용할 수 있습니다.
/TRANSLATE:<테이블 이름>      - <테이블 이름>의 값을 통해 출력을 변환합니다.
/EVERY:<간격> [/REPEAT:<반복 횟수>] - (X 간격)초마다 값을 반환합니다. /REPEAT를 지정하면 명령이 <반복 횟수>번 실행됩니다.
/FORMAT:<형식 지정자>   - XML 결과를 처리할 키워드/XSL 파일 이름입니다.

사용할 수 있는 포맷
f:\temp>wmic ntevent list /format /?
XML 결과를 처리할 키워드/XSL 파일 이름입니다.

사용법:
/FORMAT:<형식 지정자>

키워드:
CSV / HFORM / HTABLE / LIST / MOF / RAWXML / TABLE / VALUE / XML /
htable-sortby / htable-sortby.x니 / texttablewsys / texttablewsys.x니 / wmiclimofformat /
wmiclimofformat.x니 / wmiclitableformat / wmiclitableformat.x니 / wmiclitableformatnosys /
wmiclitableformatnosys.xsl / wmiclivalueformat / wmiclivalueformat.xsl

사용할 수 있는 속성
f:\temp>wmic NTEVENT get /?
사용법:
GET [<속성 목록>] []
참고: <속성 목록> ::= <속성 이름> | <속성 이름>,  <속성 목록>
다음과 같은 속성을 사용할 수 있습니다.
속성                            유형                    작업
========                   ====                    =========
Category                       N/A                     N/A
CategoryString                N/A                     N/A
ComputerName              N/A                     N/A
Data                             N/A                     N/A
EventCode                     N/A                     N/A
EventIdentifier                 N/A                     N/A
InsertionStrings               N/A                     N/A
LogFile                          N/A                     N/A
Message                        N/A                     N/A
RecordNumber                N/A                     N/A
SourceName                   N/A                     N/A
TimeGenerated                N/A                     N/A
TimeWritten                   N/A                     N/A
Type                             N/A                     N/A
TypeEvent                      N/A                     N/A
UserName                      N/A                     N/A

EventType In Win32_NtLogEvent

Types of Event Logs
Each event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error, 
Success Audit (Security Log) and Failure Audit (Security Log).

Event Type	Description
Information	An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.
Warning	An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.
Error	An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.
Success Audit (Security log)	An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.
Failure Audit (Security log)	An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

조회 예제

일반 조회

F:\temp>WMIC path Win32_NtLogEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list 

F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list 

F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET user, type, Message, InsertionStrings, TimeGenerated /format:list

특정 기간 조회

F:\temp>WMIC NtEvent WHERE "LogFile='System' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

특정 기간 특정 EventID 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and EventCode='4624' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

특정 기간 Error 이벤트 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and Eventtype='1' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

 

F:\temp>WMIC NtEvent WHERE "LogFile='System' and type='오류' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

<참고>

영문의 경우 "오류" 문자열이 "Error"이다.