我想知道如何过滤系统日志消息以便仅获取我在 Windows 10 上感兴趣的消息。
例如,我希望在用户识别/身份验证失败或成功时获取系统日志消息。
我发现对于 Linux 我必须修改文件 /etc/rsyslog.conf 但我仍然不清楚如何在 Windows 10 上执行此操作。
答案1
我如何过滤系统日志消息以仅获取我在 Windows 10 上感兴趣的消息?
Windows 不使用syslog它来保存有关系统事件的信息,例如用户的身份识别/身份验证。
但是,它有一个系统事件日志,可以使用Windows 事件查看器。
看按事件标识符过滤有关如何按特定事件进行过滤的说明。
要追踪用户的身份/身份验证,您需要查找以下事件:
Windows 4624 An account was successfully logged on Windows 4625 An account failed to log on Windows 4626 User/Device claims information Windows 4627 Group membership information. Windows 4634 An account was logged off Windows 4646 IKE DoS-prevention mode started Windows 4647 User initiated logoff Windows 4648 A logon was attempted using explicit credentials Windows 4649 A replay attack was detected Windows 4650 An IPsec Main Mode security association was established Windows 4651 An IPsec Main Mode security association was established Windows 4652 An IPsec Main Mode negotiation failed Windows 4653 An IPsec Main Mode negotiation failed Windows 4654 An IPsec Quick Mode negotiation failed Windows 4655 An IPsec Main Mode security association ended Windows 4672 Special privileges assigned to new logon Windows 4675 SIDs were filtered Windows 4778 A session was reconnected to a Window Station Windows 4779 A session was disconnected from a Window Station Windows 4800 The workstation was locked Windows 4801 The workstation was unlocked Windows 4802 The screen saver was invoked Windows 4803 The screen saver was dismissed Windows 4964 Special groups have been assigned to a new logon Windows 4976 During Main Mode negotiation, IPsec received an invalid negotiation packet. Windows 4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet. Windows 4978 During Extended Mode negotiation, IPsec received an invalid negotiation packet. Windows 4979 IPsec Main Mode and Extended Mode security associations were established. Windows 4980 IPsec Main Mode and Extended Mode security associations were established Windows 4981 IPsec Main Mode and Extended Mode security associations were established Windows 4982 IPsec Main Mode and Extended Mode security associations were established Windows 4983 An IPsec Extended Mode negotiation failed Windows 4984 An IPsec Extended Mode negotiation failed Windows 5378 The requested credentials delegation was disallowed by policy Windows 5451 An IPsec Quick Mode security association was established Windows 5452 An IPsec Quick Mode security association ended Windows 5453 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started Windows 5632 A request was made to authenticate to a wireless network Windows 5633 A request was made to authenticate to a wired network Windows 6272 Network Policy Server granted access to a user Windows 6273 Network Policy Server denied access to a user Windows 6274 Network Policy Server discarded the request for a user Windows 6275 Network Policy Server discarded the accounting request for a user Windows 6276 Network Policy Server quarantined a user Windows 6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy Windows 6278 Network Policy Server granted full access to a user because the host met the defined health policy Windows 6279 Network Policy Server locked the user account due to repeated failed authentication attempts Windows 6280 Network Policy Server unlocked the user account
来源Windows 安全日志百科全书按“登录/注销”和“Win2008、Win2012R2、Win2016 和 Win10+”过滤
进一步阅读