윈도우 이벤트 로그 분석-3rd Party Tool

Myeventviewer by NirSoft

From : https://www.nirsoft.net/utils/my_event_viewer.html

Command-Line Options

aveDirect	Save the log lines in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log lines are saved directly to the disk, without loading them into the memory first. This means that you can save a list with large amount of event log lines into your disk without any memory problem, as long as you have enough disk space to store the saved file. The drawback of this mode: You cannot sort the log lines according to the column you choose with /sort command-line option.
/ShowOnlyLastEvents [0 | 1]	If you specify '1' value, the last events filter will be activated.
/LastEventsUnit [Unit]	Unit to specify the last events filter. 1 = Minutes 2 = Hours 3 = Days
/LastEventsValue [Number of Units]	specifies the number of units (Minutes/Hours/Days) for the last events filter.
/VisibleEventTypes [Number]	Specifies which type of events to display: 1 = Error 2 = Warning 4 = Information 8 = Audit Success 16 = Audit Failure You can combine multiple event types, for exmaple: if you want to display both errors and warnings, set the VisibleEventTypes value to 3 (1 + 2 = 3):
/EventLogNames [Name1] [Name2] [Name3]...	Specifies the event log names that you wish to load. Examples: MyEventViewer.exe /EventLogNames "osession" "security" "Internet Explorer" MyEventViewer.exe /EventLogNames "Application" "Security"
/cfg <Filename>	Start MyEventViewer with the specified configuration file. For example: MyEventViewer.exe /cfg "c:\config\MyEventViewer.cfg" MyEventViewer.exe /cfg "%AppData%\MyEventViewer.cfg"
/advanced	Starts MyEventViewer with the 'Advanced Filter' window, before loading the events.
/stext <Filename>	Save the events list into a regular text file.
/stab <Filename>	Save the events list into a tab-delimited text file.
/scomma <Filename>	Save the events list into a comma-delimited text file (csv).
/stabular <Filename>	Save the events list into a tabular text file.
/shtml <Filename>	Save the events list into HTML file (Horizontal).
/sverhtml <Filename>	Save the events list into HTML file (Vertical).
/sxml <Filename>	Save the events list into XML file.
/sort <column>	This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Source" and "Time". You can specify the '~' prefix character (e.g: "~Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
/nosort	When you specify this command-line option, the list will be saved without any sorting.

예제

최근 3일 이벤트 조회
C:\myeventviewer>MyEventViewer.exe /shtml C:\DFIR\EventLog\Security-Export.html /EventLogNames "Security" /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /sort "Event Type"

evtx 파일 로드
C:\myeventviewer>MyEventViewer.exe /Loadfile "C:\DFIR\EventLog\Security-20190716.evtx" /shtml C:\DFIR\EventLog\Security-Export-2.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time"

최근 이벤트 N개 조회

C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /ShowOnlyLastEvents 1 /LastEventsValue 2000 /LastEventsUnit 1 /sort "~Time"

조회 결과 정렬
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /sort "Event Type" /sort "Log Type"

< 참고 >
 Command Line Interface Mode에서는 특정 이벤트 ID나 From – To 날짜 범위로 조회가 불가능하다.

 

FullEventlogview by NirSoft

From : https://www.nirsoft.net/utils/full_event_log_view.html

 

이전 버전인 MyEventviewer의 부족한 부분을 개선. Command Line Interface Mode에서 특정 이벤트 ID등으로 조회가 가능하다.

Command-Line Options

/ChannelFilter [1 - 3]  /EventIDFilter [1 - 3]  /ProviderFilter [1 - 3]  /ChannelFilterStr [Filter String]  /EventIDFilterStr [Filter String]  /ProviderFilterStr [Filter String]  .  .  .	You can use any variable inside the .cfg file in order to set the configuration from command line, here's some examples: In order to show only events with Event ID 8000 and 8001:  FullEventLogView.exe /EventIDFilter 2 /EventIDFilterStr "8000,8001" In order show only events from Microsoft-Windows-Dhcp-Client/Admin channel:  FullEventLogView.exe /ChannelFilter 2 /ChannelFilterStr "Microsoft-Windows-Dhcp-Client/Admin" In order to read events from .evtx files stored in c:\temp\logs :  FullEventLogView.exe /DataSource 3 /LogFolder "c:\temp\logs" /LogFolderWildcard "*" In order to read events from remote computer:  FullEventLogView.exe /DataSource 2 /ComputerName "192.168.0.70"
/cfg <Filename>	Start FullEventLogView with the specified configuration file. For example:  FullEventLogView.exe /cfg "c:\config\felv.cfg"  FullEventLogView.exe /cfg "%AppData%\FullEventLogView.cfg"
/RunAsAdmin	Run FullEventLogView as administrator.
/stext <Filename>	Save the event log items into a simple text file.
/stab <Filename>	Save the event log items into a tab-delimited text file.
/scomma <Filename>	Save the event log items into a comma-delimited text file (csv).
/stabular <Filename>	Save the event log items into a tabular text file.
/shtml <Filename>	Save the event log items into HTML file (Horizontal).
/sverhtml <Filename>	Save the event log items into HTML file (Vertical).
/sxml <Filename>	Save the event log items into XML file.
/sjson <Filename>	Save the event log items into JSON file.
/SaveDirect	Save the event log items in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log items are saved directly to the disk, without loading them into the memory first. Be aware that the sorting feature is not supported in SaveDirect mode.
/sort <column>	This command-line option can be used with other save options for sorting by the desired column. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Record ID" and "Event ID". You can specify the '~' prefix character (e.g: "~Channel") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.

예제
C:\fulleventlogview>FullEventLogView.exe  /ChannelFilter 2 /ChannelFilterStr "Security" /EventIDFilter 2  /EventIDFilterstr "4624" /shtml C:\DFIR\EventLog\Security-Export-3.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /RunAsAdmin