Thanks for all previous posts, with your help I've successful develop my (now not so tiny) perl script. It connects to every DC in a domain to get its logs and send them to a central log machine running syslog (it's based on evlogsys.pl halat_private) but with mayor changes. An integration with big brother (www.bb4.com) is planned sending logs alarms to bb. When I start to test the script I've found this problem: the DCs (about 50 country wide), generate logs faster than I can read, most of them are 560 562 events, according with this trend in a few time I'll be missing many logs entries. Does any of you know the meaning of the EventID 560 and EventID 562 ? When are and why are they generated ? Is there any way to stop this logs events ? Should I miss too many information doing this ? EventID 560: Object Open:%n\r\n%tObject Server:%t%1%n\r\n%tObject Type:%t%2%n\r\n%tObject Name:%t%3%n\r\n%tNew Handle ID:%t%4%n\r\n%tOperation ID:%t{%5,%6}%n\r\n%tProcess ID:%t%7%n\r\n%tPrimary User Name:%t%8%n\r\n%tPrimary Domain:%t%9%n\r\n%tPrimary Logon ID:%t%10%n\Object Open:%n\r\n%tObject Server:%t%1%n\r\n%tObject Type:%t%2%n\r\n%tObject Name:%t%3%n\r\n%tNew Handle ID:%t%4%n\r\n%tOperation ID:%t{%5,%6}%n\r\n%tProcess ID:%t%7%n\r\n%tPrimary User Name:%t%8%n\r\n%tPrimary Domain:%t%9%n\r\n%tPrimary Logon ID:%t%10%n\ EventID 562: Handle Closed:%n\r\n%tObject Server:%t%1%n\r\n%tHandle ID:%t%2%n\r\n%tProcess ID:%t%3%n\r\n Descriptions are: EventID 560: Event generated by auditing "Object Open" activities. EventID 562: Event generated when auditing is turned on for object access: "Handle Closed" The audit policies are: ------------------------ Audit account logon events ( Success, Failure ) Audit account management ( Success, Failure ) Audit directory service access ( Success, Failure ) Audit login events ( Success, Failure ) Audit object access ( Success, Failure ) Audit policy change ( Success, Failure ) Audit privilege use ( Success, Failure ) Audit process tracking ( No auditing ) Audit system events ( Success, Failure ) If any is interested in a copy of this script just send me a mail. By now it only gets the logs and send them to a syslog server. Thanks in advance, Gonzalo. > -----Original Message----- > From: Gonzalo Garcia [mailto:GO_GARCIAat_private] > Sent: Monday, February 04, 2002 7:40 AM > To: loganalysisat_private > Subject: [logs] NT Logs > > > > Hi, I´m trying to do some work with NT logs and I´ve some questions, > > Is possible to send all the logs to only one machine ? I've a PDC and 30 > BDC and would be excellent to get the logs from only one server. > > Where can I get the EventID descriptions ? > > I'm writing a tiny perl script using Win32::Eventlog module, it works fine > the system logs but when I try to read the security logs and call > $hash->read(args ....) method the User key of the hashref is not in text, > I´ve read some documents and there are "masks" to apply to some keys (e.g. > TimeGenerated ) but I could not find the mask, if any for the User key. Does > someone have some experience with this ? ( $Win32::EventLog::GetMessageText > is already set to 1 ). > > Does any know how to do this stuff using MFC or any non-commercial software > ? I just want to read the logs and according with the EventID send a > message ( may be the hole record ) to a DB server. > > > > > Sorry about my English. > Thanks in advance, > Gonzalo S. García. > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > > > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 12:09:37 PST