RE: [logs] IIS and Windows Event log parser to generate reports

From: Rudy, Ian # PHX (ian.rudy@private)
Date: Fri Feb 27 2004 - 07:29:06 PST

  • Next message: Rovert John F DLVA: "RE: [logs] IIS and Windows Event log parser to generate reports"

    Kevin,
     
    I'm slighty one step ahead.. I've figured out how to get the IIS logs and
    Event logs to the syslog facility (SNARE
    http://www.intersectalliance.com/projects/SnareWindows/index.html
    <http://www.intersectalliance.com/projects/SnareWindows/index.html> ).. now
    I want to be able to crunch those events into higher level html reports for
    trending and correlation.  I too am using syslog-ng with a mysql backend but
    I also process the raw log files for PIX events and ACL events into high
    level html reports.  I'm looking to identify a solution similiar to fwanalog
    (http://tud.at/programm/fwanalog/) <http://tud.at/programm/fwanalog/)>  for
    the IIS and Windows Event logs.  I'd love to try the SNARE server portion
    but alas I'm not located in the Asia Pacific region where they are currently
    offering it.  I've checked out a couple of other cheap commercial (around
    $100-200 US) but most of the Windows based analysis ones run on Windows and
    I was hoping to find something that could run on my Linux based central log
    server.  I don't mind even doing the grunt work of having to figure out what
    trends and events I want to analyze just looking for a good log parsing
    engine with html output capabilities.
     
    Thanks,
    Ian
     
    -----Original Message-----
    From: Maute Kevin Contr AFIT/SCBS [mailto:Kevin.Maute@private] 
    Sent: Friday, February 27, 2004 9:07 AM
    To: Rudy, Ian # PHX; loganalysis@private
    Subject: RE: [logs] IIS and Windows Event log parser to generate reports
    
    
    
    Ian,
    
     
    
    You are somewhat ahead of me...  I have been looking at syslog-ng with a
    mysql backend to do enterprise logging.  My specifics are:
    
     
    
    IDS - Snort running ACID & Cisco 4235 appliance
    
    FW - Symantic Enterprise Firewall (formerly Raptor)
    
    
    Various unix and M$ devices as well...
    
     
    
    I can copy the FW logs with supplied client(s) which is fairly close to
    syslog format.  The Cisco IDS is the only one I have not conceptually
    figured out yet.
    
     
    
    Like you I am also looking for a IIS and Event Log parser or syslog hook...
    
     
    
     
    
     
    
    Kevin Maute (RCF System/Security Admin)
    
    mailto:kevin.maute@private
    
    (937) 255-6565 x4250
    
     
    
    -----Original Message-----
    From: loganalysis-bounces+kevin.maute=afit.edu@private
    [mailto:loganalysis-bounces+kevin.maute=afit.edu@private] On Behalf
    Of Rudy, Ian # PHX
    Sent: Thursday, February 26, 2004 6:01 PM
    To: 'loganalysis@private'
    Subject: [logs] IIS and Windows Event log parser to generate reports
    
     
    
    All, 
    
    I currently have a central syslog server (running Linux) that records events
    from IDS, firewalls, routers, etc., and now Windows IIS logs and Windows
    Event log messages.  I've been able to handle the current logs pretty well
    but need some suggestions for dealing with the additional Windows event
    information.  Does anybody know of any good scripts or parsing tools to
    analyze the Windows IIS and Event Log information and generate reports
    (preferably html)?  
    
    Thanks in advance, 
    
    Ian 
    This E-mail message is for the sole use of the intended recipient(s) and may
    contain confidential and privileged information.  Any unauthorized review,
    use, disclosure or distribution is prohibited.  If you are not the intended
    recipient, please contact the sender by reply E-mail, and destroy all copies
    of the original message.
    
    This E-mail message is for the sole use of the intended recipient(s) and may
    contain confidential and privileged information.  Any unauthorized review,
    use, disclosure or distribution is prohibited.  If you are not the intended
    recipient, please contact the sender by reply E-mail, and destroy all copies
    of the original message.
    
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Feb 27 2004 - 09:20:24 PST