{"id":130257,"date":"2009-11-12T14:10:00","date_gmt":"2009-11-12T19:10:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-83222016980090942"},"modified":"2009-11-12T14:10:00","modified_gmt":"2009-11-12T19:10:00","slug":"analysis-of-windows-security-logs-with-ms-log-parser","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/130257","title":{"rendered":"Analysis of Windows Security Logs with MS Log Parser"},"content":{"rendered":"

When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.<\/p>\n

Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it’s a tool made by Microsoft!<\/p>\n

The tool<\/span>
The tool in question is Microsoft Log parser<\/a>. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.<\/p>\n

You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.<\/p>\n

For Security Log, you need to run Log Parser as administrator<\/span>
Note that this tool doesn’t collect data from multiple computers, it just analyzes data in a single file\/single computer repository.<\/p>\n

The improved interface<\/span>
In it’s original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving\/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard<\/a>.<\/p>\n

\"\"<\/a>
Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts<\/span> on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.<\/p>\n

Analyzing the Security Log with Log Parser Lizard<\/span>
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:<\/p>\n