Windows Log Shuttle: A Simple and Convenient Windows Log Analysis Tool

The Windows system will save some key operations to logs, and the directory for saving log files is generally in the “C:/windows/system32/winevt/logs” directory (the storage location may be slightly different for older versions such as Windows 2000/Server 2003/Windows XP).

We can view it through the built-in event viewer on Windows. Run the command “eventvwr. msc” to open the event viewer, as shown in the following figure:

The logs for Windows Core include:

System log, which records events and error information during system operation. It can help users understand the operating status of the system and identify system faults and errors. For example, when the system starts, the system log will record events during the startup process, including hardware detection, driver loading, etc., so that users can understand the situation of the system startup.

Security log, which records events related to system security, such as user login, account permission changes, and modifications to security policies. It can help users monitor the security of the system, detect abnormal behavior and security threats in a timely manner. For example, when a user attempts to log in multiple times but fails, the security log will record this event and remind the user to be aware of possible intrusion behavior.

Application log, which records events and error information during the operation of an application. It can help users identify application crashes, errors, and warnings, as well as track the running status of applications. For example, when an application crashes, the application log will record the cause of the crash for users to fix.

In addition, for example, PowerShell logs will be saved in the following file.

Windows PowerShell.evtx

Microsoft Windows PowerShell% 4Admin.evtx

Microsoft Windows PowerShell% 4Operational. evtx

There are some important event IDs that need to be addressed in emergency response analysis:

4624, account login successful, there are also many types of subdivisions in this. For example, type 2 is interactive login, type 10 is remote interactive login, and so on

4625, account login failed

4616, System Time Change Event

1102, event log cleared event

and so on

Returning to our topic, the reason why we need a Windows log shuttle is because during an internal attack and defense drill, we received feedback from colleagues that the company had a ransomware server that needed immediate response. As a result, we were a bit confused when we started using the computer. In the usual alarm response process, we often analyzed the problematic machine through existing security systems, such as using NTA (Network Threat Analysis System) to observe the network request situation at the time of the alarm, which can easily analyze the network connection situation at that time, where the attack came from and went, and combined with HIDS (Host Intrusion Detection System) to trigger the alarm, we can roughly see the entire event.
As a result, during the drill, the drill preparer put the attack machine on the same network segment, and then NTA went blind directly (NTA did not monitor east-west traffic). HIDS did not awesome at this time, and did not record the IP status of the attacker’s login, so he had to force himself to check the Windows log record one by one. After this, he made up his mind secretly to have the whole tool. When encountering similar problems in the future, he would directly take a shuttle instead of checking one by one.

There are many excellent tools on the market for viewing Windows logs, such as:

LogParser is a log analysis tool provided by Microsoft that supports powerful query functions and can export log files, XML files, and CSV files.

FullEventLogView is also an official event log viewing tool that uses a graphical interface.

But the author felt that it was too powerful and not concise enough, so he started writing his own Windows log analysis tool, committed to simplifying Windows log analysis work as much as possible, accumulating more rules in daily life, and not caring about anything during wartime, just shuttling through it.

The so-called shuttle means, don’t make me think, I’ll give you the log, and you can give me the result directly, as follows:

动图封面

The tool will automatically parse the key events that need attention (the built-in parsed EventIDs are gradually being improved. If there are any EventIDs that need attention that are not built-in in the tool, you can provide feedback to the author)
Some key events that require attention are as follows:

400 PowerShell Execution Command Record(

  • 4624
  • 4624 vm-agent,
  • 1102Log cleared


There are more analysis events waiting for everyone to explore.

In addition to the built-in event parsing, if you have any unspoken rules (shh, you still hope to tell me and add them to the built-in rules), you can also customize the rules.
Double click the “Custom Event” button to open the custom rule file. The rule format is as follows:
Event ID/Event Description/[Match Regular]
For example, to match the event where the log with event ID 1102 is cleared, the rule is: 1102/Log cleared (regular can be ignored, not mandatory)
For example, to match the user login log with event ID 4624 and match the user’s IP, the rule is: 4624/user login/\ d {1,3} \ \D {1,3} \ \D {1,3} \ \D {1,3} (Note that the last paragraph is a regular expression. If there are characters that match the regular expression, \ needs to be used for escape)
For example, if I don’t know the event ID, I only know the keywords. This can be done as follows: 0/wildcard/192 . 168 . 1 . 1 (0 represents wildcard, matches all event IDs, followed by the regular IP address to be matched, and only when it is hit will it be displayed in the tool)

动图封面


If you feel that viewing events in the tool is too simplistic and lacks details, you can also right-click on the event to view details.

动图封面


At the same time, you can also save the logs to a CSV file for detailed viewing

动图封面



Leave a Reply

Your email address will not be published. Required fields are marked *