Re: Event log counts...

[Jean François Quéralt <JFQueralt () EscuelaEuropea org>]

Hi to everyone.

My first idea would be to create a Win2K Service with WMI support. You could
then create a WMI event handler and attach it to the EventLog WMI interface.
Thus, each time a new event is generated you can extract it´s data and send
it to your syslog in whatever format you want.
I don´t know how much CPU-consuming (and network) would be this solution but
it´s a good approach and you don´t have to take care on how big your events
logs are.
Another solution would be avoiding the WMI event handler and instead create
a timer inside your service who would check your Event Logs. If you make
some tests I´m sure you would find a way to reach a performant service.

Hope that helped.

Jean

----- Original Message ----- 
From: "Ryan Murphy" <RMurphy () irvinecompany com>
To: <security-basics () securityfocus com>
Sent: Tuesday, December 14, 2004 6:54 PM
Subject: Event log counts...


> List,
>
> I am currently working on implementing a windows syslog solution in which
> Win2k servers will dump their application/system/security event logs to a
> (likely Kiwi) syslog server in our environment. One of the questions that
> needs to get answered in order to implement such a solution is "How many
> total event log entries are we generating per minute/hour/day/week/month
> across all 200 of our servers?" I'm currently at a loss as to how to
answer
> this question, and so I'm turning to the list for ideas. At first, I was
> thinking about just picking a small representative sample of our servers,
> and counting the number of events generated in a set period of time.
> However, I've had a very hard time picking a small representative sample
of
> our overall server farm, and from my (albeit somewhat limited) research
into
> this avenue, there doesn't appear to be one. Is there a way that I could
> query this kind of information somewhere in Windows? In the AD? NetIQ App
> Manager? Do you guys know of any sort of utility that I could load that
> would help me determine event counts? Should I write my own? Could I find
> this information by querying WMI in a small VB app or something?
>
> You ideas and suggestions are greatly appreciated.
>
> Thanks,
>
> Ryan
>
>
>
> =============================
> Notice to recipient:  This e-mail is meant for only the intended recipient
> of the transmission, and may be a confidential communication or a
> communication privileged by law.  If you received this e-mail in error,
any
> review, use, dissemination, distribution, or copying of this e-mail is
> strictly prohibited.  Please notify us immediately of the error by return
> e-mail and please delete this message from your system.  Thank you in
> advance for your cooperation.