I often have to work with windows log files during incident response and every time it’s a very frustrating experience. Honestly, I think Windows logging system needs a complete rework. Windows logs for the most part completely useless with their cryptic messages, thousands of undocumented events and lack of any easy interface to work with. It always baffle me why you can’t filter or search easily by most interesting fields like Account Name or Source IP in Event Viewer.
So I started to look for a solution to this problem. I wasn’t able to find anything at first and started to develop my own parser based on XML format of logs(which is a mess itself). Half way through I discovered an easier way with Powershell and Logparser.
Turns out powershell have Get-WinEvent cmdlet to work with event logs. However, it still doesn’t allow you to query individual fields, which is what we want. But I figured out a way to do this, which involve converting event log to xml on the fly and leverage powershell pipeline capabilities to parse it. It allows you to leverage all powershell features to work with logs, such as selecting certain fields and aggregating on values. It works and all you need to have is powershell, which is great, but the downside for this is speed – it is a slow process, especially for big files. You also can’t search easily, i.e. display all fields for a particular user.
Take a look at examples:
Then I discovered a tool developed by Microsoft – Logparser.
This tool is so powerful – basically it allows you to use SQL language to query information from various files like XML, CSV and EVTX. I am not sure why, but this tool was abandoned since 2005, nonetheless it still works. It also very fast, with most queries taking seconds to complete. This is what I am using to quickly answer questions like:
Who logged into machine?
What IP addresses was used for Administrator account?
What a specific user did?
What firewall rules was created?
Take a look at my examples here(I usually run those from powershell console):