RE: NT Log Files

[Henry Sieff <hsieff () orthodon com>]

> -----Original Message-----
> From: Chris Brenton [mailto:cbrenton () sover net]
> Sent: Friday, July 30, 1999 2:10 PM
> To: Buckley, Neil
> Cc: firewall-wizards () nfr net
> Subject: Re: NT Log Files
>
>
> "Buckley, Neil" wrote:
> > A while back there was a thread started by MJR, I believe, 
> that included
> > discussion of NT log files and the possible ways to monitor them.  I
> > searched the archive for info, but was unable to locate the 
> thread.  If
> > anyone has any info on how this might be done, or pointers 
> to any technical
> > data that they could send me that would be great.
>
> Funny you should ask, I just finished working on a SANS Webcast that
> will touch on that very subject. ;)
>
> You have a couple of options, First you could grab a copy of 
> dumpel.exe
> from the NT Resource kit (it may even be up on the MS web site).
> Something like:
> dumpel -L security -f security.txt -s SERVER1 -c
>
> will grab a copy of the EV security log from the server named SERVER1
> and dump it in comma delimited format to security.txt. You can then
> import the file to your favorite spreadsheet or database program.
>
> If you are focused on logon/logoff information, check out:
> http://www.ntobjectives.com
>
> JD has a command line and a GUI tool (not sure if the GUI is released
> yet) for extracting logon information from the log. Cools stuff, very
> efficient.
>
> I also hear he's working on a syslogd type of process which 
> will let you
> export the logs in native format to a logging server. Not sure if its
> done yet or not.

Must be somethin in the air, because I have just started working on 
a log management system for my NT network. The O'Reily book is great, and
has some excellent code sample for accessing the event log functions
in advapi32.dll. If you want a premade solution, aelita makes a cool one:
http://www.aelita.com and look for eventadmin.  This allows you to sechedule
log collection: the logs are collected into an Access.mdb- however, it is 
pricey and (imho) does TOO much of the thinking for you.

Dumpel will convert to text, but you have to then get the text into a
database
format, which is not as east as it should be.  Having eveything done as
syslog is
possible, and may be the best solution.

http://www.addison.com and http://www.heysoft.com also have some useful
util's.

--
Henry Sieff
Netwerküberkommander
Orthodontic Centers of America
(504) 834-4392 ext.135

> Cheers,
> Chris
> -- 
> **************************************
> cbrenton () sover net
>
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet