Firewall Wizards mailing list archives
NT Event Log Collection
From: "Hayday, John (ISSReading)" <jhayday () iss net>
Date: Mon, 2 Aug 1999 14:04:39 +0100
Someone just sent me the thread on Event Log handling as in a previous existence I had a requirement to solve the same problem: Check out Event Log Manager from March Information Systems, now part of Internet Security Systems. It was explicitly designed to solve this problem. Additionally solves Windows NT problem of not having the capability to alert when the log is becoming x percent full. It will transfer logs at set time of day and or when they become x percent full, using a secure store and forward (TDES) to a central collector. Once stored locally, prior to transfer, the logs are cleared, such that auditing will continue uninterrupted. This facility is used by secure sites that want their systems set to 'crash on audit fail' to ensure that they never do. The logs are transferred in their native format, along with supporting files (only once). This was done deliberately to ensure that the logs were not altered for evidential purposes. Once stored centrally, they can be viewed or output to ODBC database as required. They can also be archived to read-only media for longer term storage. The viewer will also allow archived files to be read directly from the read-only media, with out being reloaded. John Hayday Internet Security Systems
X-Sender: mjr () mail clark net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Fri, 30 Jul 1999 12:36:46 -0400 To: "Buckley, Neil" <buckley () network-1 com>, firewall-wizards () nfr net From: "Marcus J. Ranum" <mjr () nfr net> Subject: Re: NT Log Files Sender: owner-firewall-wizards () nfr net Reply-To: "Marcus J. Ranum" <mjr () nfr net>A while back there was a thread started by MJR, I believe, that included discussion of NT log files and the possible ways to monitor them. I searched the archive for info, but was unable to locate the thread.Short summary: I got the O'Reilly book on NT logging and read it. It turns out that NT logs are stored with application specific codings based on the DLLs that are installed on the system generating the logs. This is done for internationalization, so it makes sense but it's a pain. The only way to "resolve" the coded logs into text
reliably
is to do it on the machine where the logs were generated. My idea had been to push the logs to someplace else and then process them en masse. No dice. There is a tool out there that resolves the logs into text and pushes them to "loghost" via UNIX syslog calls. There are a couple versions of such things floating around. One is http://www.adiscon.com/EvntSLog/main.asp There is a syslogd for NT http://www.netal.com/SL4NT03.htm mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- NT Event Log Collection Hayday, John (ISSReading) (Aug 03)