LogAnalysis
[logs] Getting Windows logs through WMI Jan 16 2008 05:40AM
Vincent Bernat (bernat luffy cx)
Hi !

Getting eventlog through WMI calls has two advantages over the classic
RPC method:
- We don't need to resolve symbols using DLL (which is quite
problematic when getting logs from remote). The WMI layer translates
messages into human readable style.
- This works on both Linux and Windows. Getting logs from RPC from
Linux is still quite experimental (this is part of the Samba
project).

However, it seems that there is a major drawback to using WMI: when the
event log file is 100 MB large, the WMI call timeout whatever the
request is. I mean, you may ask for log trail 45722 or for 100 last log
trails or 100 first log trails, the WMI call takes too much time and
timeout.

WMI allow to query eventlog through WQL language which is SQL with far
less features. However, it seems that no indexing occurs and that the
whole log file is scanned for every request.

For some large organization, a 100 MB large file is quite common (and
filled in a hour, so we cannot ask them to use smaller size). Do you
know of any workaround to this limitation?

Thanks.
--
MUD IS NOT ONE OF THE 4 FOOD GROUPS
MUD IS NOT ONE OF THE 4 FOOD GROUPS
MUD IS NOT ONE OF THE 4 FOOD GROUPS
-+- Bart Simpson on chalkboard in episode 9F15
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus