RE: Central Win2000 auditing logs

[Ben Collins <BenCollins () gateshead gov uk>]

I use the following perl script, its a bit dirty but it works. When you've
collected the logs you can process them using CyberSafe Log Analyst from the
2K resource kit.

Ben.

#---------------------------------------------------------------------------
----
#
# Backup and Clear Security EventLogs.
# Version 1.2
# Ben Collins
# 18/09/2002
#
#---------------------------------------------------------------------------
----
#
# Add the names of servers to the file serverlist.txt in the same directory
# as this script.
#
#---------------------------------------------------------------------------
----

use Win32::EventLog;
use Win32API::File 0.08 qw( :ALL );

# Get today's date.
$Date=join("-", ((split(/\s+/, scalar(localtime)))[2,1,4]));

# Create a directory with today's date.
$Directory="g:\\seclogs\\$Date";
mkdir($Directory, 0777);

# Get the names of servers.
open(SERVERS, "serverlist.txt");
chomp(@Servers=<SERVERS>);
close(SERVERS);

# Connect to each server and backup the logs.
foreach $Server (@Servers) {
  $EventLog=Win32::EventLog->new("Security", "\\\\$Server") or
Error_Log("Unable to connect to the Security Log on \\\\$Server: $^E.\n");
  $FileName="$Server-$Date.evt";
  $EventLog->Clear("c:\\$FileName") or Error_Log("Unable to backup the
Security EventLog on \\\\$Server: $^E.\n");
  $EventLog->Close;
  $Source="\\\\$Server\\c\$\\$FileName";
  $Destination="$Directory\\$FileName";
  MoveFile($Source, $Destination) or Error_Log("Unable to move $Source to
$Destination: $^E.\n");
}

# Write error messages to a file.
sub Error_Log {
  ($Msg)=@_;  
  open(LOG, ">>g:\\seclogs\\errors.txt");
  $Time=join("-", ((split(/\s+/, scalar(localtime)))[3]));
  print LOG ("$Date $Time $Msg");
  close(LOG);
}



-----Original Message-----
From: Stephen Gay [mailto:sgay () ellijay com]
Sent: 18 June 2003 18:32
To: security-basics () securityfocus com
Subject: Central Win2000 auditing logs


Hello,

Does anyone have any experience with centrally locating Windows2000 log
files, for disaster recovery sake?

What I have in mind is a dedicated server with a large storage array, that
holds the log files for all of the servers in a company. I know that
Windows2000 doesn't have this capacity built in, but I've heard that 3rd
party vendors offer products that do this.

More importantly, has anyone ever done this with a Perl script or reliable
freeware?

Thanks for any help or advice,
Stephen Gay



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


**********************************************
Important Information
This e-mail constitutes a confidential communication and is
subject to legal privilege.  If you have received this e-mail
in error, please notify us immediately. You should not use
or copy it for any purpose, nor disclose it to any other
person.
**********************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------