• logparser使用小结


    1、导出为execl能打开的格式
    logparser -i:evt -o:csv "select * from c:\sec.evt" > d:sec.csv
    logparser -i:evt -o:csv "select * from security" > d:sec.csv
    logparser -i:evt -o:nat "select * into a.txt from security"

    logparser -i:evt -o:csv "select TimeGenerated,EventID,Message from c:\sec.evt" > d:sec.csv

    logparser -i:evt -o:TPL -tpl:EventLogs.tpl "select * into b.html from d:\sec.evt"


    使用条件语句:
    SELECT TimeGenerated, EventTypeName, SourceName FROM System
    WHERE ( SourceName = 'Service Control Manager' AND EventID >= 7024) OR
    ( SourceName = 'W32Time')

    SELECT * FROM Security
    WHERE Message LIKE '%logon%'


    A、在iis日志中搜索特殊链接
    LogParser -o:csv "SELECT * into a.csv FROM iis.log where EXTRACT_EXTENSION(cs-uri-stem) LIKE 'asp'"

    B、最经典的例子,对日志中的url进行归并统计
    LogParser -o:csv "SELECT cs-uri-stem, COUNT(*) into a.csv FROM iis.log GROUP BY cs-uri-stem"

    c、统计所有日志
    LogParser -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM ex*.log GROUP BY cs-uri-stem"
    LogParser -i:iisw3c -o:csv "SELECT cs-uri-stem, COUNT(*)into a.csv FROM *.log GROUP BY cs-uri-stem"

    d、对文件后缀进行排名
    LogParser -i:iisw3c -o:csv "SELECT EXTRACT_EXTENSION(cs-uri-stem) AS PageType, COUNT(*) into a.cssv FROM *.log GROUP BY PageType"

    e、得到所有的不重复的链接
    LogParser -i:iisw3c -o:csv "SELECT distinct cs-uri-stem into a.csv FROM *.log"

    2、生成百分比饼图
    LogParser "SELECT EventID, COUNT(*) AS Times INTO Chart.gif FROM d:\tmp\sec.evt GROUP BY EventID ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"


    3、http日志
    LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"

    querytop.sql:
    SELECT TOP 10 cs-uri-stem AS Url,
    COUNT(*) AS Hits
    INTO Urls.gif
    FROM <1>
    GROUP BY Url
    ORDER BY Hits DESC

    4、在html页面里找关键字
    Return the lines in an HTML document that contain links to other pages:
    LogParser "SELECT Text FROM http://www.microsoft.adatum.com WHERE Text LIKE '%href%'" -i:TEXTLINE


    5、MD5 Hashes of System Files
    LogParser "SELECT Path, HASHMD5_FILE(Path) into a.txt FROM C:\Windows\System32\*.exe" -i:FS -recurse:0


    6、Print the 10 largest files on the C: drive:
    LogParser "SELECT TOP 10 Path, Name, Size FROM C:\*.* ORDER BY Size DESC" -i:FS


    7、获得本机登陆帐户的查看
    LogParser.exe -o:nat "SELECT RESOLVE_SID(Sid) AS Account FROM Security WHERE EventID IN (540; 528)"


    8、获得系统日志的分类详细信息
    LogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSV
    LogParser "SELECT DISTINCT SourceName, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSV
    根据id分类
    LogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM System" -i:EVT -o:CSV
    LogParser "SELECT DISTINCT eventid, EventID,SourceName,message INTO Event_*.csv FROM security" -i:EVT -o:CSV


    9、生成图形界面日志
    LogParser "SELECT 'Event ID:', EventID, SYSTEM_TIMESTAMP(),message FROM security" -i:EVT -o:datagrid


    10、生成一个Web页面
    LogParser file:d:\EventLogs.sql?EventLog=security -o:TPL -tpl:d:\EventLogs.tpl
    LogParser file:d:\EventLogs.sql?EventLog=system -o:TPL -tpl:d:\EventLogs.tpl


    11、在iis日志里查看返回代码分布饼图
    LogParser "SELECT sc-status, COUNT(*) AS Times INTO Chart.gif FROM iis.log GROUP BY sc-status ORDER BY Times DESC" -chartType:PieExploded3D -chartTitle:"Status Codes"

    12、在所有日志中手机前10位的排名
    LogParser file:querytop.sql -o:chart -chartType:Bar3d -chartTitle:"TOP 10 URL"

    querytop.sql:

    SELECT TOP 10 cs-uri-stem AS Url,
    COUNT(*) AS Hits
    INTO Urls.gif
    FROM ex*.log
    GROUP BY Url
    ORDER BY Hits DESC

    13、检索目录下所有文件的所有的信息
    logparser "select * into a.csv from c:\x-scan\*.*" -i:fs -o:csv


    查看每个源IP发了多少个包
    LogParser "SELECT srcip ,count(*) into a.csv FROM a.cap group by srcip" -fmode:tcpip -o:csv

    查看每个源端口的包的个数
    LogParser "SELECT srcport ,count(*) into a.csv FROM a.cap group by srcport" -fmode:tcpip -o:csv

    归并所有srcip,dstip,srcport一样的包,得到个数
    LogParser "SELECT srcip,dstip,srcport ,count(*) into a.csv FROM a.cap group by srcip,dstip,srcport" -fmode:tcpip -o:csv

    归并所有tcpflags的包
    LogParser "SELECT srcip,srcport,dstip,dstport,tcpflags,count(*) into a.csv FROM a.cap where tcpflags='AF' group by srcip,srcport,dstip,dstport,tcpflags" -fmode:tcpip -o:csv

    tcpflags的分布饼图
    LogParser "SELECT tcpflags,count(*) into a.gif FROM a.cap group by tcpflags " -fmode:tcpip -chartType:PieExploded3D -chartTitle:"Status Codes"
    LogParser "SELECT tcpflags,count(*) into a.csv FROM a.cap group by tcpflags " -fmode:tcpip -o:csv

  • 相关阅读:
    【OpenCv/EmguCv】指针式仪表读数(二)
    合天网安实验室CTF练习赛之RE300
    Codeforces Round #527 -A. Uniform String(思维)
    CodeForces
    CodeForces
    CodeForces
    CodeForces
    CodeForces
    CodeForces
    CodeForces
  • 原文地址:https://www.cnblogs.com/swordzj/p/2608626.html
Copyright © 2020-2023  润新知