Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

NT Event Log Collection

From: "Hayday, John (ISSReading)" <jhayday () iss net>
Date: Mon, 2 Aug 1999 14:04:39 +0100 
Someone just sent me the thread on Event Log handling as in a previous
existence I had a requirement to solve the same problem:

Check out Event Log Manager from March Information Systems, now part of
Internet Security Systems.  It was explicitly designed to solve this
problem.  Additionally solves Windows NT problem of not having the
capability to alert when the log is becoming x percent full.  It will
transfer logs at set time of day and or when they become x percent full,
using a secure store and forward (TDES) to a central collector.  Once stored
locally, prior to transfer, the logs are cleared, such that auditing will
continue uninterrupted.  This facility is used by secure sites that want
their systems set to 'crash on audit fail' to ensure that they never do. The
logs are transferred in their native format, along with supporting files
(only once).  This was done deliberately to ensure that the logs were not
altered for evidential purposes.  Once stored centrally, they can be viewed
or output to ODBC database as required.  They can also be archived to
read-only media for longer term storage.  The viewer will also allow
archived files to be read directly from the read-only media, with out being
reloaded. 

John Hayday                     
Internet Security Systems         


X-Sender: mjr () mail clark net
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
Date: Fri, 30 Jul 1999 12:36:46 -0400
To: "Buckley, Neil" <buckley () network-1 com>, firewall-wizards () nfr net
From: "Marcus J. Ranum" <mjr () nfr net>
Subject: Re: NT Log Files
Sender: owner-firewall-wizards () nfr net
Reply-To: "Marcus J. Ranum" <mjr () nfr net>


A while back there was a thread started by MJR, I believe, that included
discussion of NT log files and the possible ways to monitor them.  I
searched the archive for info, but was unable to locate the thread.


Short summary:
        I got the O'Reilly book on NT logging and read it.

        It turns out that NT logs are stored with application specific
                codings based on the DLLs that are installed on the
                system generating the logs. This is done for
                internationalization, so it makes sense but it's a pain.
                The only way to "resolve" the coded logs into text

reliably

                is to do it on the machine where the logs were generated.
                My idea had been to push the logs to someplace else and
                then process them en masse. No dice.

        There is a tool out there that resolves the logs into text
                and pushes them to "loghost" via UNIX syslog calls.
                There are a couple versions of such things floating
                around. One is http://www.adiscon.com/EvntSLog/main.asp

        There is a syslogd for NT http://www.netal.com/SL4NT03.htm


mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
Previous By Date Next
Previous By Thread Next

Current thread: