Firewall Wizards mailing list archives
RE: NT Log Files
From: Henry Sieff <hsieff () orthodon com>
Date: Mon, 2 Aug 1999 09:28:35 -0500
-----Original Message----- From: Chris Brenton [mailto:cbrenton () sover net] Sent: Friday, July 30, 1999 2:10 PM To: Buckley, Neil Cc: firewall-wizards () nfr net Subject: Re: NT Log Files "Buckley, Neil" wrote:A while back there was a thread started by MJR, I believe,that includeddiscussion of NT log files and the possible ways to monitor them. I searched the archive for info, but was unable to locate thethread. Ifanyone has any info on how this might be done, or pointersto any technicaldata that they could send me that would be great.Funny you should ask, I just finished working on a SANS Webcast that will touch on that very subject. ;) You have a couple of options, First you could grab a copy of dumpel.exe from the NT Resource kit (it may even be up on the MS web site). Something like: dumpel -L security -f security.txt -s SERVER1 -c will grab a copy of the EV security log from the server named SERVER1 and dump it in comma delimited format to security.txt. You can then import the file to your favorite spreadsheet or database program. If you are focused on logon/logoff information, check out: http://www.ntobjectives.com JD has a command line and a GUI tool (not sure if the GUI is released yet) for extracting logon information from the log. Cools stuff, very efficient. I also hear he's working on a syslogd type of process which will let you export the logs in native format to a logging server. Not sure if its done yet or not.
Must be somethin in the air, because I have just started working on a log management system for my NT network. The O'Reily book is great, and has some excellent code sample for accessing the event log functions in advapi32.dll. If you want a premade solution, aelita makes a cool one: http://www.aelita.com and look for eventadmin. This allows you to sechedule log collection: the logs are collected into an Access.mdb- however, it is pricey and (imho) does TOO much of the thinking for you. Dumpel will convert to text, but you have to then get the text into a database format, which is not as east as it should be. Having eveything done as syslog is possible, and may be the best solution. http://www.addison.com and http://www.heysoft.com also have some useful util's. -- Henry Sieff Netwerküberkommander Orthodontic Centers of America (504) 834-4392 ext.135
Cheers, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- Re: NT Log Files Dave Gillett (Aug 02)
- <Possible follow-ups>
- RE: NT Log Files Henry Sieff (Aug 02)