Filtering Windows' event logs properly, is it possible?

[KaoDome]

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

[satukoro]

On 12/10/2023 at 13:59, KaoDome said:

I want to track process creation on Windows, with their launching arguments, and from what I could see it is possible natively enabling event ID 4688, but I am having trouble processing what it is being logged.

It is a single local machine, so I don't have anything fancy to analyze those event logs. Searching on Google I got to software from various companies that deal in that, ingesting logs from multiple sources even, but not only it would be an overkill, I don't have a license for any.

The problem I have is noise basically, an abundance of entries. The native Windows Event Viewer does offer some filtering, but I don't think it could have been any simpler 😞, one can choose to only see 4688s, but that's about it, no way to even exclude by path or image name. I thought the "keywords" field could allow me to do it, but it is something else (outcome of the event trigger it seems).

Since some of you guys are sysadmins, I thought of asking, perhaps you had wanted to do this at some point or filter similar event logs and know how it could be done. I could filter by time, but it would be limiting either way, if at all possible I would prefer having those events logged at all times.

Stumbled upon another option to accomplish the logging that involves running the process(es) under a debugger of sorts that hooks the APIs you want, in this case it would be those that lead to the creation of a new process, and then see those calls and the parameters used ... Nuts. I think it is better to filter what Windows logs instead.

Thanks anyway!

How familiar are you with Powershell? We utilize powershell to interpret the event log on our domain controllers to fire off emails to our admin team when users get created or deleted in the domain (among many many other things).

Depending on how you want to filter your event log, you could do something like this:

get-eventlog -logname security -instanceid 4688 | where {$_.message -match 'yourmatchstring'}

Then once you have the data you want, you can either dump it into a CSV or text doc or something on your pc. If you wanted it to run when an event is generated, then parse the event that is generated for relevant information before dumping it, you can utilize the task scheduler.

 

If you give me some more information about what you're trying to parse from those events we can work on putting together the relevant powershell script + task schedule.

[Big Red]

Have you tried Process Monitor? It has a lot of filtering options. E.g. to only see process creations specify "Operation" "Is" "Process Create." The results can of course be filtered further.