I think as long as you extract them in a way that can easily be described and is routine and proviedes exact results, there is no difference between a parsed version and the actual event log raw files - at least this is my understanding from previous discussions on this list. I actually see value in not storing the files. You can change the SIDs to actual users, which makes review even after some years (and disappeared domains, delted users etc) much easier. Our solution will also soon support some cryptographic hashes over the event log entry, so they can be verified. Others may do other tricks... Rainer > If you archive Windows events in evt format, you preserve UTC > timestamps > and the ability to use event viewer and the eventlog APIs to query the > log. However, some SIDs in the log may not be able to be > looked up and > translated to account names, for accounts that have been > deleted between > log archival and log view. Event messages can be viewed in > any locale. > > If you archive Windows events as txt, you must note the time > zone of the > machine. SID translation is done before conversion to txt, > so SID-name > translation is not an issue, except for renamed accounts. Event > messages will be stored in the locale where text conversion occurred. > > I can't speak to the legal implications of either. > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 09:56:46 PDT