系统相关
首页 > 系统相关> > 关于windows收集日志

关于windows收集日志

作者:互联网

1.最近在处理windows远程登陆发生【出现了内部错误】。

2.开case跟microsoft,给出如下收集trace的步骤,记录一下

一:Netmon trace安装和使用

您可以从以下站点下载 Network Monitor 3.4 (NetMon),然后以管理员身份运行以安装 netmon 工具:
Download Microsoft Network Monitor 3.4 (archive) from Official Microsoft Download Center

CAPI2 log:
您需要在客户端和故障服务器捕获数据之前都启用 CAPI2 日志,因为默认情况下 CAPI2 事件日志是禁用的。
Open Event Viewer, expand Application and Services Logs – Microsoft – Windows – CAPI2. Right click Operational and select Properties. Then enable logging

Steps:

  1. 开启netmon capture(需要参考network monitor caputer) 和右击以管理员身份运行RDS tracing工具 在客户端和服务器端(需要添加截图)
    客户端:

服务器端:

  1. 运行 Schannel etl trace 分别在客户端和服务器端:
    以管理员身份打开CMD,运行以下命令启动schannel etl trace:

logman create trace “ds_security” -ow -o c:/ds_security.etl -p {37D2C3CD-C5D4-4587-8531-4696C44244C8} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 40960 -ets
logman update trace “ds_security” -p {1F678132-5938-4686-9FDC-C8FF68F15C85} 0xffffffffffffffff 0xff -ets
logman update trace “ds_security” -p {44492B72-A8E2-4F20-B0AE-F1D437657C92} 0xffffffffffffffff 0xff -ets
logman update trace “ds_security” -p “Schannel” 0xffffffffffffffff 0xff -ets

  1. 从客户端远程故障2019 VM复现远程失败问题。

  2. 运行以下命令在客户端和服务器上停止 schannel etl trace:
    logman stop “ds_security” -ets

Schannel etl trace will be saved as c:/ds_security.etl

  1. 停止的RDS tracing 和network monitor在客户端和服务器端。

然后请将以下日志上传到工作区:
日志摘要:
客户端:
• netmon trace;
• CAPI2 Event log;
• Schannel etl
• RDS tracing logs
这个目录下所有日志
C:/Windows/System32/winevt/Logs

故障w2019 VM端:
• netmon trace;
• CAPI2 Event log;
• Schannel etl
• RDS tracing logs
这个目录下所有日志
• C:/Windows/System32/winevt/Logs

二.network monitor capture安装和使用

About how to capture network monitor traffic:
1.Choose the version for your system to download, install it as typical: Download Microsoft Network Monitor 3.4 (archive) from Official Microsoft Download Center
2.Run Network Monitor as administrator.

3.In the bottom left-hand, choose the NIC or NICs you want to capture.

4.Run command: ipconfig /flushdns to clean DNS cache.

5.Then start capture when the issue reoccurs. After the necessary information is collected, click Stop.

6.Save the captured files, please upload them in the case link below.

标签:security,收集,trace,windows,日志,ds,etl,客户端
来源: https://blog.csdn.net/hbhe0316/article/details/121089815