Firewall Wizards mailing list archives
Re: NT Log Files
From: "Dave Gillett" <davidg () genmagic com>
Date: Mon, 2 Aug 1999 13:23:19 -0700
On 30 Jul 99, at 12:36, Marcus J. Ranum wrote:
A while back there was a thread started by MJR, I believe, that included discussion of NT log files and the possible ways to monitor them. I searched the archive for info, but was unable to locate the thread.Short summary: I got the O'Reilly book on NT logging and read it. It turns out that NT logs are stored with application specific codings based on the DLLs that are installed on the system generating the logs. This is done for internationalization, so it makes sense but it's a pain. The only way to "resolve" the coded logs into text reliably is to do it on the machine where the logs were generated. My idea had been to push the logs to someplace else and then process them en masse. No dice.
Since the log records include "source name" and "event number" fields, it's not aboslutely necessary to resolve these back to textual messages in order to store or summarize them -- and, in fact, doing so produces a whole lot of redundant text which (luckily) will compress fairly well.
There is a tool out there that resolves the logs into text and pushes them to "loghost" via UNIX syslog calls. There are a couple versions of such things floating around. One is http://www.adiscon.com/EvntSLog/main.asp
Someone has already mentioned the "dumpel" tool that comes in the resource kit. AT one point, we licensed a product called "dumpevt" which claims to correct several deficiencies in "dumpel"; with a small suite of batch files, that covered us until we were able to get around to writing our own tool.
There is a syslogd for NT http://www.netal.com/SL4NT03.htm
Version 1.1 stopped working when we installed SP5 on that server, but upgrading to 1.3 fixed it. David G
Current thread:
- Re: NT Log Files Dave Gillett (Aug 02)
- <Possible follow-ups>
- RE: NT Log Files Henry Sieff (Aug 02)