Как я могу отфильтровать сообщения системного журнала, чтобы получить только те, которые меня интересуют в Windows 10?
Windows не использует syslog
для сохранения информации о системных событиях, таких как идентификация / аутентификация пользователей.
Однако у него есть журнал системных событий, который можно просмотреть с помощью средства просмотра событий Windows.
См. Фильтр по идентификатору события для получения инструкций о том, как фильтровать по определенным событиям.
Для отслеживания идентификации / аутентификации пользователей вам нужно искать следующие события:
Windows 4624 An account was successfully logged on
Windows 4625 An account failed to log on
Windows 4626 User/Device claims information
Windows 4627 Group membership information.
Windows 4634 An account was logged off
Windows 4646 IKE DoS-prevention mode started
Windows 4647 User initiated logoff
Windows 4648 A logon was attempted using explicit credentials
Windows 4649 A replay attack was detected
Windows 4650 An IPsec Main Mode security association was established
Windows 4651 An IPsec Main Mode security association was established
Windows 4652 An IPsec Main Mode negotiation failed
Windows 4653 An IPsec Main Mode negotiation failed
Windows 4654 An IPsec Quick Mode negotiation failed
Windows 4655 An IPsec Main Mode security association ended
Windows 4672 Special privileges assigned to new logon
Windows 4675 SIDs were filtered
Windows 4778 A session was reconnected to a Window Station
Windows 4779 A session was disconnected from a Window Station
Windows 4800 The workstation was locked
Windows 4801 The workstation was unlocked
Windows 4802 The screen saver was invoked
Windows 4803 The screen saver was dismissed
Windows 4964 Special groups have been assigned to a new logon
Windows 4976 During Main Mode negotiation, IPsec received an invalid negotiation packet.
Windows 4977 During Quick Mode negotiation, IPsec received an invalid negotiation packet.
Windows 4978 During Extended Mode negotiation, IPsec received an invalid negotiation packet.
Windows 4979 IPsec Main Mode and Extended Mode security associations were established.
Windows 4980 IPsec Main Mode and Extended Mode security associations were established
Windows 4981 IPsec Main Mode and Extended Mode security associations were established
Windows 4982 IPsec Main Mode and Extended Mode security associations were established
Windows 4983 An IPsec Extended Mode negotiation failed
Windows 4984 An IPsec Extended Mode negotiation failed
Windows 5378 The requested credentials delegation was disallowed by policy
Windows 5451 An IPsec Quick Mode security association was established
Windows 5452 An IPsec Quick Mode security association ended
Windows 5453 An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started
Windows 5632 A request was made to authenticate to a wireless network
Windows 5633 A request was made to authenticate to a wired network
Windows 6272 Network Policy Server granted access to a user
Windows 6273 Network Policy Server denied access to a user
Windows 6274 Network Policy Server discarded the request for a user
Windows 6275 Network Policy Server discarded the accounting request for a user
Windows 6276 Network Policy Server quarantined a user
Windows 6277 Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy
Windows 6278 Network Policy Server granted full access to a user because the host met the defined health policy
Windows 6279 Network Policy Server locked the user account due to repeated failed authentication attempts
Windows 6280 Network Policy Server unlocked the user account
Исходная энциклопедия журнала безопасности Windows, отфильтрованная по «Вход в систему / Выход из системы» и «Win2008, Win2012R2, Win2016 и Win10+»
Дальнейшее чтение