Security Basics mailing list archives
RE: Central Win2000 auditing logs
From: Ben Collins <BenCollins () gateshead gov uk>
Date: Thu, 19 Jun 2003 09:54:47 +0100
I use the following perl script, its a bit dirty but it works. When you've collected the logs you can process them using CyberSafe Log Analyst from the 2K resource kit. Ben. #--------------------------------------------------------------------------- ---- # # Backup and Clear Security EventLogs. # Version 1.2 # Ben Collins # 18/09/2002 # #--------------------------------------------------------------------------- ---- # # Add the names of servers to the file serverlist.txt in the same directory # as this script. # #--------------------------------------------------------------------------- ---- use Win32::EventLog; use Win32API::File 0.08 qw( :ALL ); # Get today's date. $Date=join("-", ((split(/\s+/, scalar(localtime)))[2,1,4])); # Create a directory with today's date. $Directory="g:\\seclogs\\$Date"; mkdir($Directory, 0777); # Get the names of servers. open(SERVERS, "serverlist.txt"); chomp(@Servers=<SERVERS>); close(SERVERS); # Connect to each server and backup the logs. foreach $Server (@Servers) { $EventLog=Win32::EventLog->new("Security", "\\\\$Server") or Error_Log("Unable to connect to the Security Log on \\\\$Server: $^E.\n"); $FileName="$Server-$Date.evt"; $EventLog->Clear("c:\\$FileName") or Error_Log("Unable to backup the Security EventLog on \\\\$Server: $^E.\n"); $EventLog->Close; $Source="\\\\$Server\\c\$\\$FileName"; $Destination="$Directory\\$FileName"; MoveFile($Source, $Destination) or Error_Log("Unable to move $Source to $Destination: $^E.\n"); } # Write error messages to a file. sub Error_Log { ($Msg)=@_; open(LOG, ">>g:\\seclogs\\errors.txt"); $Time=join("-", ((split(/\s+/, scalar(localtime)))[3])); print LOG ("$Date $Time $Msg"); close(LOG); } -----Original Message----- From: Stephen Gay [mailto:sgay () ellijay com] Sent: 18 June 2003 18:32 To: security-basics () securityfocus com Subject: Central Win2000 auditing logs Hello, Does anyone have any experience with centrally locating Windows2000 log files, for disaster recovery sake? What I have in mind is a dedicated server with a large storage array, that holds the log files for all of the servers in a company. I know that Windows2000 doesn't have this capacity built in, but I've heard that 3rd party vendors offer products that do this. More importantly, has anyone ever done this with a Perl script or reliable freeware? Thanks for any help or advice, Stephen Gay --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- ********************************************** Important Information This e-mail constitutes a confidential communication and is subject to legal privilege. If you have received this e-mail in error, please notify us immediately. You should not use or copy it for any purpose, nor disclose it to any other person. ********************************************** --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Central Win2000 auditing logs Stephen Gay (Jun 18)
- Re: Central Win2000 auditing logs Birl (Jun 18)
- Re: Central Win2000 auditing logs Stephen Gay (Jun 19)
- Re: Central Win2000 auditing logs Birl (Jun 19)
- Re: Central Win2000 auditing logs Stephen Gay (Jun 19)
- Re: Central Win2000 auditing logs Anders Reed Mohn (Jun 19)
- Re: Central Win2000 auditing logs ATD (Jun 24)
- <Possible follow-ups>
- Re: Central Win2000 auditing logs Damon McMahon (Jun 19)
- FW: Central Win2000 auditing logs David Olivier (Jun 19)
- RE: Central Win2000 auditing logs Ben Collins (Jun 19)
- Re: Central Win2000 auditing logs Birl (Jun 18)