LogAnalysis
[logs] Windows Log Analysis Oct 08 2009 01:40PM
chris misztur (chrismisztur yahoo com) (1 replies)
RE: [logs] Windows Log Analysis Oct 21 2009 04:03PM
Clayton Dukes (cdukes) (cdukes cisco com)
Hi Chris,

I own an open source tool that a lot of people use for log analysis. I
built the tool primarily for Cisco-based events, but there are a lot of
people using it for Security and Windows-based log analysis.

The project is located at http://code.google.com/p/php-syslog-ng if you
are interested.

I would also be interested in knowing if it is successfully being used
for log analysis of non-Cisco environments, so if you use it, please let
me know J

From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of chris misztur
Sent: Thursday, October 08, 2009 9:41 AM
To: loganalysis (at) loganalysis (dot) org [email concealed]
Subject: [logs] Windows Log Analysis

I've put this project off to the side since mid-2008 but I'm back at it
(http://sync-io.net/go/blog/2008/06/18/EventCollectorSubscribingHTTPXP20

03ClientsPost1.aspx). I've been thinking up ways to utilize Windows
Event Collector
(http://msdn.microsoft.com/en-us/library/bb427443(VS.85).aspx
<http://msdn.microsoft.com/en-us/library/bb427443%28VS.85%29.aspx> ) to
collect from all PCs in the domain. The collector allows me to create
subscriptions using xpath queries and have the logs forwarded from
clients to the collector. I have been playing with the idea of polling
all PCs in the domain, getting their available logs, sources and events
(resource files in XP and above, and instrumentationManifests in Vista
and above). From this data I should have visibility of *most* possible
events in my domain. Great... so now I have a list of thousands
possible events that I could collect.

Now what? How do I create a semi-autonomous system that will know to
take action? (e.g. kerberos/5 and W32Time/29 should check the state of
timeservers)
I am tired of playing the game of collect everything and ask questions
later. With a db of *most* Windows events, I should be able to make
more intelligent decisions.

chris

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-sign
ature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationship
s" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/message
s" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/"
xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/Publ
ishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='color:#1F497D'>Hi Chris,<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>I own an open source tool that a
lot of people use for log analysis. I built the tool primarily for Cisco-based
events, but there are a lot of people using it for Security and Windows-based
log analysis.<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>The project is located at <a
href="http://code.google.com/p/php-syslog-ng">http://code.google.com/p/p
hp-syslog-ng</a>
if you are interested.<o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'>I would also be interested in
knowing if it is successfully being used for log analysis of non-Cisco
environments, so if you use it, please let me know </span><span
style='font-family:Wingdings;color:#1F497D'>J</span><span style='color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span><
/b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> loganalysis-bounces (at) loganalysis (dot) org [email concealed]
[mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] <b>On Behalf Of </b>chris misztur<br>
<b>Sent:</b> Thursday, October 08, 2009 9:41 AM<br>
<b>To:</b> loganalysis (at) loganalysis (dot) org [email concealed]<br>
<b>Subject:</b> [logs] Windows Log Analysis<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p> </o:p></p>

<div>

<div>

<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>I've put this project off to the side since mid-2008 but I'm back
at it (<a
href="http://sync-io.net/go/blog/2008/06/18/EventCollectorSubscribingHTT
PXP2003ClientsPost1.aspx"
target="_blank">http://sync-io.net/go/blog/2008/06/18/EventCollectorSubs
cribingHTTPXP2003ClientsPost1.aspx</a>). 
I've been thinking up ways to utilize Windows Event Collector (<a
href="http://msdn.microsoft.com/en-us/library/bb427443%28VS.85%29.aspx"
target="_blank">http://msdn.microsoft.com/en-us/library/bb427443(VS.85).
aspx</a>) 
to collect from all PCs in the domain.  The collector allows me to create
subscriptions using xpath queries and have the logs forwarded from clients to
the collector.  I have been playing with the idea of polling all PCs in
the domain, getting their available logs, sources and events </span><span
style='color:black'>(resource files in XP and above, and
instrumentationManifests in Vista and above). From this data I should have
visibility of *most* possible events in my domain.  Great... so now I have
a list of thousands possible events that I could collect.  <br>
<br>
Now what?  How do I create a semi-autonomous system that will know to take
action? (e.g. kerberos/5 and W32Time/29 should check the state of timeservers)<br>
I am tired of playing the game of collect everything and ask questions later. 
With a db of *most* Windows events, I should be able to make more intelligent
decisions.<br>
<br>
chris</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'><o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p>

</div>

</body>

</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus