c#+logparser实现windows日志分析小程序
Logparser是微软免费的一款日志分析软件,Log Parser(微软网站下载)是微软公司出品的日志分析工具,它功能强大,使用简单,可以分析基于文本的日志文件、XML 文件、CSV(逗号分隔符)文件,以及操作系统的事件日志、注册表、文件系统、Active Directory。它可以像使用 SQL 语句一样查询分析这些数据,甚至可以把分析结果以各种图表的形式展现出来。下载地址:
http://www.microsoft.com/en-us/download/details.aspx?id=24659
Log Parser
编写自己的日志分析软件
使用c#调用logparser.dll实现logparser工具的GUI界面,积累日志分析过程中的安全场景,为我们的应急响应工作提高效率。
c#代码
system.cs
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using LogQuery = MSUtil.LogQueryClassClass;
using LogRecordSet = MSUtil.ILogRecordset;
using tsvinputformat = MSUtil.COMTSVInputContextClassClass;
using EventLogInputFormat = MSUtil.COMEventLogInputContextClassClass;
using DataGridOutput = MSUtil.COMDataGridOutputContextClassClass;
using MSUtil;
namespace logparserGUI
{
public partial class system : Form
{
public system()
{
InitializeComponent();
}
private void system_Load(object sender, EventArgs e)
{
comboBox1.Items.Add("开机/关机/重启");
}
private void button1_Click(object sender, EventArgs e)
{
if (comboBox1.Text.Length == 0)
{
MessageBox.Show("请选择日志类型");
}
else
{
switch (comboBox1.Text)
{
case "开机/关机/重启":
security sec = new security();
this.Hide();//隐藏现在这个窗口
sec.ShowDialog();
break;
case "application":
application app = new application();
this.Hide();//隐藏现在这个窗口
app.ShowDialog();
break;
case "system":
system sys = new system();
this.Hide();//隐藏现在这个窗口
sys.ShowDialog();
break;
}
// string sql = @"SELECT EventID, TimeGenerated, SourceName, Message FROM E:\topsec\yj\银河\yinghang\155system.evtx";//此为系统日志文件路径
string sql = @"SELECT EventID, TimeGenerated, SourceName, Message FROM E:\topsec\yj\银河\yinghang\155system.evtx";//此为系统日志文件路径
DataTable dt = ReadFromEvt(sql);
//writeToDataBase(dt);
dataGridView1.DataSource = dt;
MessageBox.Show("读取完毕!");
}
}
public DataTable ReadFromEvt(string sql)
{
try
{
DataTable datat = new DataTable();
datat.Columns.Add("事件ID", typeof(string));
datat.Columns.Add("日期", typeof(string));
datat.Columns.Add("来源", typeof(string));
datat.Columns.Add("描述", typeof(string));
// Instantiate the LogQuery object
LogQuery oLogQuery = new LogQuery();
// Instantiate the Event Log Input Format object
EventLogInputFormat oEvtInputFormat = new EventLogInputFormat();
// Set its "direction" parameter to "BW"
oEvtInputFormat.direction = "BW";
// Create the query
string query = sql;
// Execute the query
LogRecordSet oRecordSet = oLogQuery.Execute(query, oEvtInputFormat);
while (!oRecordSet.atEnd())
{
var itemData = oRecordSet.getRecord();
DataRow dr = datat.NewRow();
dr["事件ID"] = itemData.getValue("EventID").ToString();
dr["日期"] = itemData.getValue("TimeGenerated").ToString();
dr["来源"] = itemData.getValue("SourceName").ToString();
dr["描述"] = itemData.getValue("Message").ToString();
datat.Rows.Add(dr);
oRecordSet.moveNext();
}
// Close the recordset
oRecordSet.close();
return datat;
}
catch (System.Runtime.InteropServices.COMException exc)
{
MessageBox.Show("Unexpected error: " + exc.Message);
return null;
}
}
private void comboBox1_SelectedIndexChanged(object sender, EventArgs e)
{
}
private void dataGridView1_CellContentClick(object sender, DataGridViewCellEventArgs e)
{
}
}
}
security.cs
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using LogQuery = MSUtil.LogQueryClassClass;
using LogRecordSet = MSUtil.ILogRecordset;
using tsvinputformat = MSUtil.COMTSVInputContextClassClass;
using EventLogInputFormat = MSUtil.COMEventLogInputContextClassClass;
using DataGridOutput = MSUtil.COMDataGridOutputContextClassClass;
using MSUtil;
namespace logparserGUI
{
public partial class security : Form
{
public security()
{
InitializeComponent();
}
public void eventlog()
{
try
{
LogQuery oLogQuery = new LogQuery();
EventLogInputFormat oEVTInputFormat = new EventLogInputFormat();
oEVTInputFormat.direction = "BW";
//string query = @"SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM D:\Users\TenOn\Desktop\太湖局\11.135\11.135safe.evtx where EventID=4624";
//string query = @"SELECT * FROM D:\Users\TenOn\Desktop\太湖局\日志\11.99app.evtx";
string query = @"SELECT * FROM E:\hack\anfu\yj\security.evtx";
//string query = @"SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings,6,'|') as AAA,EXTRACT_TOKEN(Strings,7,'|') as BBB,EXTRACT_TOKEN(Strings,8, '|') as LogonType,EXTRACT_TOKEN(Strings,9, '|') as CCC,EXTRACT_TOKEN(Strings, 10, '|') as DDD,EXTRACT_TOKEN(Strings, 11, '|') as EEE,EXTRACT_TOKEN(Strings, 12, '|') as FFF,EXTRACT_TOKEN(Strings, 13, '|') as GGG,EXTRACT_TOKEN(Strings, 14, '|') as HHH,EXTRACT_TOKEN(Strings, 15, '|') as III,EXTRACT_TOKEN(Strings, 16, '|') as JJJ,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM D:\Users\TenOn\Desktop\log20190629\log\security.evtx where EventID=4625";
//string query = @"SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings,6,'|') as AAA,EXTRACT_TOKEN(Strings,7,'|') as BBB,EXTRACT_TOKEN(Strings,8, '|') as LogonType,EXTRACT_TOKEN(Strings,9, '|') as CCC,EXTRACT_TOKEN(Strings, 10, '|') as DDD,EXTRACT_TOKEN(Strings, 11, '|') as EEE,EXTRACT_TOKEN(Strings, 12, '|') as FFF,EXTRACT_TOKEN(Strings, 13, '|') as GGG,EXTRACT_TOKEN(Strings, 14, '|') as HHH,EXTRACT_TOKEN(Strings, 15, '|') as III,EXTRACT_TOKEN(Strings, 16, '|') as JJJ,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM D:\Users\TenOn\Desktop\log20190629\log\security.evt where EventTypeName='Warning event'";
//string query = @"SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings,8, '|') as LogonType,EXTRACT_TOKEN(Strings,9, '|') as aaa,EXTRACT_TOKEN(Strings, 10, '|') as bbbbbb,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM D:\Users\TenOn\Desktop\太湖局\日志\11.99.evtx where EventID=4624";
//Logparser.exe –i:EVT –o:DATAGRID "SELECT * FROM E:\study\yj\security.evtx where EventID=4625"
//string query = @"SELECT * FROM D:\Users\TenOn\Desktop\太湖局\11.135\11.135safe.evtx";
LogRecordSet oRecordSet = oLogQuery.Execute(query, oEVTInputFormat);//执行语句
DataGridOutput oEVTOutputFormat = new DataGridOutput();
MessageBox.Show("oLogQuery.ToString");
oLogQuery.ExecuteBatch(query, oEVTInputFormat, oEVTOutputFormat);
if (oLogQuery.errorMessages != null)
{
MessageBox.Show(oLogQuery.errorMessages.ToString());
}
}
catch (System.Runtime.InteropServices.COMException exc)
{
Console.WriteLine("Unexpected error: " + exc.Message);
}
}
private void security_Load(object sender, EventArgs e)
{
}
private void button1_Click(object sender, EventArgs e)
{
string sql = @"SELECT EventID, TimeGenerated, SourceName, Message FROM E:\topsec\yj\银河\yinghang\155system.evtx";//此为系统日志文件路径
DataTable dt = ReadFromEvt(sql);
//writeToDataBase(dt);
dataGridView1.DataSource = dt;
MessageBox.Show("读取完毕!");
}
public DataTable ReadFromEvt(string sql)
{
try
{
DataTable datat = new DataTable();
datat.Columns.Add("事件ID", typeof(string));
datat.Columns.Add("日期", typeof(string));
datat.Columns.Add("来源", typeof(string));
datat.Columns.Add("描述", typeof(string));
// Instantiate the LogQuery object
LogQuery oLogQuery = new LogQuery();
// Instantiate the Event Log Input Format object
EventLogInputFormat oEvtInputFormat = new EventLogInputFormat();
// Set its "direction" parameter to "BW"
oEvtInputFormat.direction = "BW";
// Create the query
string query = sql;
// Execute the query
LogRecordSet oRecordSet = oLogQuery.Execute(query, oEvtInputFormat);
while (!oRecordSet.atEnd())
{
var itemData = oRecordSet.getRecord();
DataRow dr = datat.NewRow();
dr["事件ID"] = itemData.getValue("EventID").ToString();
dr["日期"] = itemData.getValue("TimeGenerated").ToString();
dr["来源"] = itemData.getValue("SourceName").ToString();
dr["描述"] = itemData.getValue("Message").ToString();
datat.Rows.Add(dr);
oRecordSet.moveNext();
}
// Close the recordset
oRecordSet.close();
return datat;
}
catch (System.Runtime.InteropServices.COMException exc)
{
MessageBox.Show("Unexpected error: " + exc.Message);
return null;
}
}
private void dataGridView1_CellContentClick(object sender, DataGridViewCellEventArgs e)
{
}
}
}
可视化输出
–o:DATAGRID
windows日志Strings字段提取
在提取的项目中发现其他比较简单,但是string这一项非常复杂,但是又比较重要。
使用函数EXTRACT_TOKEN(Strings, num, ‘|’)
strings使用|对数据进行分割EXTRACT_TOKEN(Strings, 0, ‘|’)提取S-1-5-18,EXTRACT_TOKEN(Strings, 1, ‘|’)提取DESKTOP-KJIHHDO$以此类推
(这里用隔壁的图说明一下
https://blog.csdn.net/qq_29647709)
例如:Strings字段按照|分段第5个值,把表头重命名为username
EXTRACT_TOKEN(Strings,5,'|') as username
例如:分析成功登录事件4624我们过滤出我们的想要提取的数据:
其中包括,第5项用户,第8项登录类型,第17项程序路径,以及我们关心的第18项源IP地址。
LogParser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM E:\study\yj\security.evtx where EventID=4624"
在我们的c#程序中写入查询语句
如:分析成功登录事件4624
我们过滤出我们的想要提取的数据:
其中包括,第5项用户,第8项登录类型,第17项程序路径,以及我们关心的第18项源IP地址。
LogParser.exe -i:EVT -o:DATAGRID "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM
查看与登录事件
Logparser -i:evt –o:DATAGRID “SELECT * FROM E:\study\yj\security.evtx WHERE Strings LIKE '%logon%'”
查看登录审核失败日志的全部字段并可视化输出
Logparser.exe –i:EVT –o:DATAGRID "SELECT * FROM E:\study\yj\security.evtx where EventID=4625"
参考文章
https://www.jianshu.com/p/d325b4b1169c
http://blog.sina.com.cn/s/blog_54b976460100o8qt.html
https://blog.csdn.net/qq_29647709/article/details/85124105
https://www.t00ls.net/viewthread.php?tid=48067&highlight=%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94
扫一扫
1311
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
