国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

版權(quán)所有,轉(zhuǎn)載請(qǐng)指明出處,并注明欠我一頓飯,哈哈...一次簡(jiǎn)單的windows日志分析 [2009.12.30]今天一位IT的同事問我有沒有EVT日志分析的工具.EVT?(什么來的?大汗!),查一下發(fā)現(xiàn)原來是windows2003的日志,在vista和win7下需要用另外的工具轉(zhuǎn)換,應(yīng)該是個(gè)數(shù)據(jù)庫文件格式的.轉(zhuǎn)換的工具叫l(wèi)ogparser,可以在windows的老家下載,具體路徑忘了,google一下吧.轉(zhuǎn)換的命令很簡(jiǎn)單,日志處理,我習(xí)慣是轉(zhuǎn)成文本格式:PS C:\Program Files\Log Parser 2.2> ./logparser -i:EVT "SELECT * INTO a.csv FROM 2003log.evt"Statistics:-----------Elements processed: 21533Elements output:    21533Execution time:     1.65 seconds看看上面的命令就知道是個(gè)數(shù)據(jù)庫操作了.不過我懶得看他的用法,直接扔linux下排一下序.同事要求是誰在暴力破解,簡(jiǎn)單看一下文件內(nèi)容.很簡(jiǎn)單的命令:$ iconv -f gb2312 -t utf8 a.csv |grep 預(yù)驗(yàn)證失敗 |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" |sort |uniq -c |sort -n2 192.168.54.992 192.168.6.2504 192.168.48.3230 192.168.54.19242432 192.168.54.73ok!完工.經(jīng)查找發(fā)現(xiàn)54.73這位兄弟中毒了.咔咔中間一個(gè)小插曲.iconv轉(zhuǎn)換編碼的時(shí)候,我用file來看a.csv的編碼格式,顯示ISO-8859,然后我就根據(jù)iconv支持的ISO-8859-N(N代表1到16)一個(gè)個(gè)試,結(jié)果試完一遍都轉(zhuǎn)換不出來.足足試了16次還是錯(cuò),惡心死我了.上網(wǎng)查一下windows編碼格式,大大的GB2312顯示出來,這才想起其實(shí)自己以前早就用gb2312轉(zhuǎn)換過了,怎么又忘了.惡心死了!好吧,既然上面的文件是個(gè)數(shù)據(jù)庫文件,那我就直接用數(shù)據(jù)庫語言來試試吧.先看一下原來數(shù)據(jù)庫文件的定義:EventLog,RecordNumber,TimeGenerated,TimeWritten,EventID,EventType,EventTypeName,EventCategory,EventCategoryName,SourceName,Strings,ComputerName,SID,Message,Data其中一條日志:C:\Program Files\Log Parser 2.2\2003log.evt,124,2009-12-29 16:03:06,2009-12-29 16:03:06,675,16,Failure Audit event,9,帳戶登錄,Security,huchunhong|%{S-1-5-21-2345678-1960275636-1381041710-15503}|krbtgt/ABTECSA.INTERNAL|0x2|0x12|192.168.54.73,DC,S-1-5-18,預(yù)驗(yàn)證失敗: 用戶名: huchunhong 用戶 ID: %{S-1-5-21-2345678-1960275636-1381041710-15503} 服務(wù)名: krbtgt/ABTECSA.INTERNAL 預(yù)驗(yàn)證類型: 0x2 失敗代碼: 0x12 客戶端地址: 192.168.54.73 ,發(fā)現(xiàn)所有需要的內(nèi)容都在Message字段里,而且不是真的在一個(gè)數(shù)據(jù)庫里面,所以不好搞.只能有把驗(yàn)證失敗的數(shù)據(jù)提出出來方便統(tǒng)計(jì):PS C:\Program Files\Log Parser 2.2> ./logparser -i:EVT "SELECT Message INTO a.csv FROM 2003log.evt where Message LIKE '%預(yù)驗(yàn)證失敗%'"進(jìn)一步,以整個(gè)Message字段來排個(gè)序,但還是不完美,想不到什么更好的辦法了:PS C:\Program Files\Log Parser 2.2> ./logparser -i:EVT "SELECT count(Message),Message into aa.csv FROM 2003log.evt where Message like '%驗(yàn)證失敗%' group by Message order by count(Message) desc"如果是MySQL的話可以自己創(chuàng)建一個(gè)統(tǒng)計(jì)ip的函數(shù),然后order by func(id)這樣的形式來根據(jù)ip排序,不過我還不懂這些.呵呵...自定義函數(shù)可以看看下面這里的說明,先留下記錄:http://dev.mysql.com/doc/refman/5.1/zh/extending-mysql.html#adding-functionsPS1:vista,win7或以后的windows不能直接用logparser來轉(zhuǎn)換,需要先用自帶的命令wevtutil把evt轉(zhuǎn)成新的evtx格式:wevtutil epl 2003log.evt 2003log.evtx /lf:trueevt是舊日志格式了,新的是evtxPS2:不喜歡用命令行的朋友看看下面這個(gè)圖形工具吧,logparser的GUI版,我習(xí)慣CLI直接忽略掉.http://blog.csdn.net/downmoon/archive/2009/09/02/4509513.aspx下面是logparser的一些使用技巧.!!!不是我寫的!!!========================-=zhumoqing=-1、導(dǎo)出為execl能打開的格式logparser -i:evt -o:csv "select * from c:\sec.evt" > d:sec.csvlogparser -i:evt -o:csv "select * from security" > d:sec.csvlogparser -i:evt -o:nat "select * into a.txt from security"logparser -i:evt -o:csv "select TimeGenerated,EventID,Message from c:\sec.evt" > d:sec.csvlogparser -i:evt -o:TPL -tpl:EventLogs.tpl "select * into b.html from d:\sec.evt"使用條件語句：SELECT TimeGenerated, EventTypeName, SourceName FROM System WHERE ( SourceName = 'Service Control Manager' AND EventID >= 7024) OR ( SourceName = 'W32Time')SELECT * FROM Security WHERE Message LIKE '%logon%'A、在iis日志中搜索特殊鏈接LogParser -o:csv "SELECT * into a.csv FROM iis.log where EXTRACT_EXTENSION(cs-uri-stem) LIKE 'asp'"B、最經(jīng)典的例子，對(duì)日志中的url進(jìn)行歸并統(tǒng)計(jì)LogParser -o:csv "SELECT cs-uri-stem, COUNT(*) into a.csv FROM iis.log GROUP BY cs-uri-stem"c、統(tǒng)計(jì)所有日志LogParser -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM ex*.log GROUP BY cs-uri-stem"LogParser -i:iisw3c -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM *.log GROUP BY cs-uri-stem"d、對(duì)文件后綴進(jìn)行排名LogParser -i:iisw3c -o:csv "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS PageType, COUNT(*) into a.cssv FROM *.log GROUP BY PageType"e、得到所有的不重復(fù)的鏈接LogParser -i:iisw3c -o:csv "SELECT distinct cs-uri-stem into a.csv FROM *.log"2、生成百分比餅圖LogParser "SELECT EventID, COUNT(*) AS Times INTO Chart.gif FROM d:\tmp\sec.evt GROUP BY EventID ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"3、http日志LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"querytop.sql：SELECT TOP 10 cs-uri-stem AS Url,COUNT(*) AS HitsINTO Urls.gifFROM <1>GROUP BY UrlORDER BY Hits DESC4、在html頁面里找關(guān)鍵字Return the lines in an HTML document that contain links to other pages:LogParser "SELECT Text FROM http://www.microsoft.adatum.com WHERE Text LIKE '%href%'" -i:TEXTLINE5、MD5 Hashes of System FilesLogParser "SELECT Path, HASHMD5_FILE(Path) into a.txt FROM C:\Windows\System32\*.exe" -i:FS -recurse:06、Print the 10 largest files on the C: drive:LogParser "SELECT TOP 10 Path, Name, Size FROM C:\*.* ORDER BY Size DESC" -i:FS7、獲得本機(jī)登陸帳戶的查看LogParser.exe -o:nat "SELECT RESOLVE_SID(Sid) AS Account FROM Security WHERE EventID IN (540; 528)"8、獲得系統(tǒng)日志的分類詳細(xì)信息LogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSVLogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSV根據(jù)id分類LogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSVLogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSV9、生成圖形界面日志LogParser "SELECT 'Event ID:', EventID, SYSTEM_TIMESTAMP(),message FROM security" -i:EVT -o:datagrid10、生成一個(gè)Web頁面LogParser file:d:\EventLogs.sql?EventLog=security -o:TPL -tpl:d:\EventLogs.tplLogParser file:d:\EventLogs.sql?EventLog=system -o:TPL -tpl:d:\EventLogs.tpl11、在iis日志里查看返回代碼分布餅圖LogParser "SELECT sc-status, COUNT(*) AS Times INTO Chart.gif FROM iis.log GROUP BY sc-status ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"12、在所有日志中手機(jī)前10位的排名LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"querytop.sql：SELECT TOP 10 cs-uri-stem AS Url,COUNT(*) AS HitsINTO Urls.gifFROM ex*.logGROUP BY UrlORDER BY Hits DESC13、檢索目錄下所有文件的所有的信息logparser "select * into a.csv from c:\x-scan\*.*" -i:fs -o:csv查看每個(gè)源IP發(fā)了多少個(gè)包LogParser "SELECT srcip ,count(*) into a.csv FROM a.cap group by srcip" -fmode:tcpip -o:csv查看每個(gè)源端口的包的個(gè)數(shù)LogParser "SELECT srcport ,count(*) into a.csv FROM a.cap group by srcport" -fmode:tcpip -o:csv歸并所有srcip,dstip,srcport一樣的包，得到個(gè)數(shù)LogParser "SELECT srcip,dstip,srcport ,count(*) into a.csv FROM a.cap group by srcip,dstip,srcport" -fmode:tcpip -o:csv歸并所有tcpflags的包LogParser "SELECT srcip,srcport,dstip,dstport,tcpflags,count(*) into a.csv FROM a.cap where tcpflags='AF' group by srcip,srcport,dstip,dstport,tcpflags" -fmode:tcpip -o:csvtcpflags的分布餅圖LogParser "SELECT tcpflags,count(*) into a.gif FROM a.cap group by tcpflags " -fmode:tcpip -chartType:PieExploded3D -chartTitle:"Status Codes"LogParser "SELECT tcpflags,count(*) into a.csv FROM a.cap group by tcpflags " -fmode:tcpip -o:csv