On 4 Mar 2002, at 19:19, Steve Wray wrote: > OMG, after checking, I find that these > log files arn't even text files! > > How on earth is one supposed to analyse them? > (the provided applet barely counts for log > analysis... If you can't grep the logs they > arn't worth keeping). > > Maybe theres a setting to make NT/2k/XP > log to text files? Their not being text files probably has something to do with the wide availability of hacker tools called "text editors" that can be used to arbitrarily change the contents of such files to cover an intruder's tracks. Text files are also often susceptible to compression ratios of 3:1 or more, particularly if they contain repetitive data. The NT/2000 log file record formats contain a mix of fixed-size and variable length fields, some of which form, when combined, links to boilerplate text in other files. The APIs which support these files limit changes initiated by user processes to "append" while allowing a single OS component to discard old entries per settings configured by an administrator. (Oops-- or someone successfully pretending to be an administrator, or anyone/anything with permission to modify some registry entries....) These APIs, by the way, provide a degree of remote access across a network that the common file read/write APIs rely upon volume sharing to achieve. The APIs also make it fairly easy to write programs which extract event log records to display, or to a text file for analysis or archive. That the OS does not actually come with such a tool is an oversight that Microsoft will no doubt correct by acquiring one of the third-party tools that do this, as soon as one of them demonstrates that there's money to be made. DG --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 00:52:48 PST