(PC operation at home) Collecting events with your own batch

Collection of Windows event log of my home

I have a Windows 10 desktop PC in my house, and I collect event logs regularly as one of the operations tasks.

--System related events: Get updates and time sync. --Security-related events: Get logon timing, account rewriting, etc. --Windows Defender related events: Get information about scans and updates.

We are collecting event logs in our own batch. The processing content is

--Obtain the above three types of event logs and save them in a text file (event log file). --Analyze the event log file, aggregate the event ID and the number of occurrences, and save it in a text file (event analysis file). --Analyze the event log file and save notable events in a text file (event notification file). --Analyzes the event log file and alarms notable events for immediate notification.

Batch features

--Consists of the following 3 files. All files are SJIS, batch is placed in the same location, jar is placed under the java folder in the same hierarchy as the batch.

Output example

Event analysis file

----------------------------------------
[Number of events]

Event:(information)-5xxx 5 cases......(Event ID description)
Event:(information)-4xxx 30 cases......(Event ID description)
Event:(information)-5xxx 5 cases......(Event ID description)
Event:(information)-4xxx 5 cases......(Event ID description)
Event:(information)-4xxx 1 case......(Event ID description)
Event:(information)-4xxx 1 case......(Event ID description)
Event:(information)-5xxx 100 cases......(Event ID description)
Event:(information)-4xxx 30 cases......(Event ID description)
Event:(information)-4xxx 5 cases......(Event ID description)
Event:(information)-4xxx 100 cases......(Event ID description)
Event:(information)-4xxx 30 cases......(Event ID description)
Event:(information)-4xxx 5 cases......(Event ID description)
Event:(information)-4xxx 5 cases......(Event ID description)

----------------------------------------
[Event details]
...(Contents of each event analyzed from the event log dump)
...(Contents of each event analyzed from the event log dump)
...(Contents of each event analyzed from the event log dump)

Event notification file

[REPORT]2020-12-10T02:07:29.582,information,(19 Successful installation:...)
[REPORT]2020-12-10T23:49:40.691,information,(19 Successful installation:...)
[REPORT]2020-12-10T22:51:35.810,information,(35 Perform time synchronization)
[HEAD]2020/12/10 23:50:10,No abnormality

Batch code

getEventLog.bat

Since it is long, it is a partial excerpt.

--Wevtutil collects event logs. --Specify the collection range date and time with @SystemTime. Since it is specified by GMT, the following is the event collection from 23:50 on the previous day to the current time. --% SYSTEM_EVENT_LOG_WORK_FILE% and% MYSHELL_NAME% are omitted from the explanation. Specify any subsequent file path such as% SYSTEM_EVENT_LOG_WORK_FILE%. --Collect security event logs and Windows Defender event logs as well as system events. --Note that security events can only be retrieved by executing a batch with administrator privileges. --Collect Windows Defender events from 30 days in advance.

rem Get the previous day and store it in a variable
for /f "usebackq delims=" %%a in (`powershell "(get-date).AddDays(-1).ToString(\"yyyy-MM-dd\")"`) do set DATE_YESTERDAY=%%a
for /f "usebackq delims=" %%a in (`powershell "(get-date).AddDays(-30).ToString(\"yyyy-MM-dd\")"`) do set DATE_BEFMONTH=%%a

rem system event log
wevtutil qe System /f:Text "/q:*[System[TimeCreated[@SystemTime>='%DATE_YESTERDAY%T14:50:00']]]" > %SYSTEM_EVENT_LOG_WORK_FILE%
if not %errorlevel% == 0 (
    echo [ERROR]wevtutil (system) execution error
    echo [END]%MYSHELL_NAME%
    exit /b %EXIT_CODE_ERROR%
)

rem security event log
wevtutil qe Security /f:Text "/q:*[System[TimeCreated[@SystemTime>='%DATE_YESTERDAY%T14:50:00']]]" > %SECUTITY_EVENT_LOG_WORK_FILE%
rem (Omitted error handling)

rem Windows Defender event log
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:Text "/q:*[System[TimeCreated[@SystemTime>='%DATE_BEFMONTH%T14:50:00']]]" > %DEFENDER_EVENT_LOG_WORK_FILE%
rem (Omitted error handling)

--Analyze the collected event log files with nnnmu24-local-eventlog.jar. --jar specifies the mode, event log file path, event analysis file path, and event notification file path with four arguments. The mode is System, Security, Windows Defender, and is one of [1,2,3].

rem system event log
java -jar %JARMJ% 1 %SYSTEM_EVENT_LOG_WORK_FILE% %SYSTEM_EVENT_LOG_PARSE_FILE% %REPORT_PATH%
if not %errorlevel% == 100 if not %errorlevel% == 109 (
    echo [ERROR]java (system) execution error
    echo [END]%MYSHELL_NAME%
    exit /b %EXIT_CODE_ERROR%
)

rem security event log
java -jar %JARMJ% 2 %SECUTITY_EVENT_LOG_WORK_FILE% %SECUTITY_EVENT_LOG_PARSE_FILE% %REPORT_PATH%
rem (Omitted error handling)

rem Windows Defender event log
java -jar %JARMJ% 3 %DEFENDER_EVENT_LOG_WORK_FILE% %DEFENDER_EVENT_LOG_PARSE_FILE% %REPORT_PATH%
rem (Omitted error handling)

nnnmu24-local-eventlog.jar

Since it is long, it is a partial excerpt.

--The analysis of the event log file is not complicated. The character string at the beginning of the line is judged, classified by the event label "Log Name:", "Event ID:", etc., and stored in the object. --After that, the analysis of the unique event is executed. I think the following code can be shortened by devising it, but it is written solidly.

EventLogDto eventLogDto = new EventLogDto();
for (String line: lines) {
    if (line.startsWith("Event[")) {
        eventLogDto = new EventLogDto();
        eventLogDtoList.add(eventLogDto);
        eventLogDto.setEvent(line);
    } else if (line.startsWith("  Log Name: ")) {
        eventLogDto.setLogName(line.substring("  Log Name: ".length()));
    } else if (line.startsWith("  Source: ")) {
        eventLogDto.setSource(line.substring("  Source: ".length()));
    } else if (line.startsWith("  Date: ")) {
        eventLogDto.setDate(line.substring("  Date: ".length()));
    } else if (line.startsWith("  Event ID: ")) {
        String eventId = line.substring("  Event ID: ".length());
        eventLogDto.setEventId(eventId);
        eventCountMap.computeIfAbsent(eventId, k -> 0);
        eventCountMap.computeIfPresent(eventId, (k, v) -> v + 1);
    } else if (line.startsWith("  Task: ")) {
        eventLogDto.setTask(line.substring("  Task: ".length()));
    } else if (line.startsWith("  Level: ")) {
        String level = line.substring("  Level: ".length());
        level = level.substring(0, 2); // level is max 2word
        eventLogDto.setLevel(level);
        eventLevelMap.put(eventLogDto.getEventId(), level);
    } else if (line.startsWith("  Opcode: ")) {
        eventLogDto.setOpcode(line.substring("  Opcode: ".length()));
    } else if (line.startsWith("  Keyword: ")) {
        eventLogDto.setKeyword(line.substring("  Keyword: ".length()));
    } else if (line.startsWith("  User: ")) {
        eventLogDto.setUser(line.substring("  User: ".length()));
    } else if (line.startsWith("  User Name: ")) {
        eventLogDto.setUserName(line.substring("  User Name: ".length()));
    } else if (line.startsWith("  Computer:" )) {
        eventLogDto.setComputer(line.substring("  Computer: ".length()));
    } else if (line.startsWith("  Description: ")) {
    } else if (line.equals("")) {
    } else {
        eventLogDto.addDetail(line);
    }
}

--Some events are analyzed individually. --Time synchronization and virus scan execution are notified by the event notification file only on the latest date and time. --The 4624 login event is a class called PersonalParser_4624 that analyzes the detailed event message and notifies the login trigger with the event notification file.

private List<String> parseElement(EventLogDto element) {

    PersonalParserIf personalParser = null;
    if (mode == Const.MODE_SYSTEM) {
        switch (element.getEventId()) {
        case "35":
            //Event ID to notify only the latest
            latestEventLogDtoMap.put(element.getEventId(), element);
            break;
        default:
            break;
        }
    } else if (mode == Const.MODE_DEFENDER) {
        switch (element.getEventId()) {
        case "1001":
        case "2000":
        case "2002":
            //Event ID to notify only the latest
            latestEventLogDtoMap.put(element.getEventId(), element);
            break;
        default:
            break;
        }
    } else if (mode == Const.MODE_SECURITY) {
        switch (element.getEventId()) {
        case "4624":
            //Judgment by individual rules
            personalParser = new PersonalParser_4624();
            break;
        default:
            break;
        }
    }

    if (personalParser == null) {
        return null;
    }
    return personalParser.parse(element);
}

Recommended Posts

(PC operation at home) Collecting events with your own batch
Make your own sampler with JMeter