Windows Event Logs
Get available Logs
Powershell logs
Event logs available
Event Logs per Application Source
Event Logs per Severity Source
Critical Logs
Error Logs
Warning Logs
Information Logs
Event Logs for offline analysis
Event logs can be found: %SystemRoot%\System32\winevt\Logs
OR:
Copy all event logs:
Note: More information can be found here. Special thanks to Brimor Labs.
mdb Files are found at the below:
More information available on the CrowdStrike Blog - Patrick Bennett
Quickly scan event logs with DeepblueCLI
Event Tracing for Windows (ETW).
Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.
A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.
List Running Trace Sessions
List Providers That a Trace Session is Subscribed to
List all ETW Providers
View providers process is sending events to
Setup Custom Log Tracing
Special thanks to Spotless for his crash course
Query Providers Available and their keyword values
Note: Take note of wanted values.
Initiate Tracing Session
Update trace with wanted providers
Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.
Delete Subscription and Providers
Event Log/Tracing Tampering Detection
Timeline Windows Event Logs.
An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.
From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.
Super Timeline a host:
This can be done using Plaso (Log2Timeline)
Common IIS logs can often be found in the below locations:
%SystemDrive%\inetpub\logs\LogFiles
%SystemRoot%\System32\LogFiles\W3SVC1
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1
Note: replace 1 with the number for your IIS website ID
%SystemDrive%\Windows\System32\LogFiles\HTTPERR
Common Apache logs can often be found in the below locations:
/var/log
/var/log/httpd/access.log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd-access.log
Other logs can be found in the below, often using the Event Trace Log (ETL) format:
C:\Windows\System32\LogFiles
C:\Windows\Panther
ETL format can be parsed using tracerpt which is included in Windows, some examples below.
Software specific logs are often stored in readable formats at any of the following locations.
You may also find useful memory crashdumps at the below:
Last updated