RE: [logs] IIS and Windows Event log parser to generate reports

• Previous message: Rudy, Ian # PHX: "RE: [logs] IIS and Windows Event log parser to generate reports"
• Maybe in reply to: Rudy, Ian # PHX: "[logs] IIS and Windows Event log parser to generate reports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have developed something that generates a 
Report of the Windows Event ID error, failure 
and warning messages.
 
I am currently developing a Unix script, I 
work on Solaris that will generate a Report(s) 
for the Windows Event ID messages 528 and 540 
(Logins) and 538 (Logoffs)
 
We use EventReporter to send the Windows Event
Log information from our Windows boxes to the 
syslog file on one of our security boxes.
 
At present the only thing these 2 scripts do is 
take the Windows Event Log Messages for a 
specified day and generate a Report for each
message broken down by Windows box.  It also 
outputs a summary of how many of each Event ID 
was seen for all messages (INF, AUS, ERR, WRN 
and AUF)
 
I work for the Federal Government but I am sure 
I would be able to release these script to people 
that would like to use them, but it would take a 
few weeks to go through the management chain to 
get it approved
 
John F. Rovert
 

-----Original Message-----
From: Rudy, Ian # PHX [mailto:ian.rudy@private]
Sent: Friday, February 27, 2004 10:29 AM
To: 'Maute Kevin Contr AFIT/SCBS'; loganalysis@private
Subject: RE: [logs] IIS and Windows Event log parser to generate reports


Kevin,
 
I'm slighty one step ahead.. I've figured out how to get the IIS logs and
Event logs to the syslog facility (SNARE
http://www.intersectalliance.com/projects/SnareWindows/index.html
<http://www.intersectalliance.com/projects/SnareWindows/index.html> ).. now
I want to be able to crunch those events into higher level html reports for
trending and correlation.  I too am using syslog-ng with a mysql backend but
I also process the raw log files for PIX events and ACL events into high
level html reports.  I'm looking to identify a solution similiar to fwanalog
( http://tud.at/programm/fwanalog/) <http://tud.at/programm/fwanalog/)>  for
the IIS and Windows Event logs.  I'd love to try the SNARE server portion
but alas I'm not located in the Asia Pacific region where they are currently
offering it.  I've checked out a couple of other cheap commercial (around
$100-200 US) but most of the Windows based analysis ones run on Windows and
I was hoping to find something that could run on my Linux based central log
server.  I don't mind even doing the grunt work of having to figure out what
trends and events I want to analyze just looking for a good log parsing
engine with html output capabilities.
 
Thanks,
Ian
 
-----Original Message-----
From: Maute Kevin Contr AFIT/SCBS [mailto:Kevin.Maute@private] 
Sent: Friday, February 27, 2004 9:07 AM
To: Rudy, Ian # PHX; loganalysis@private
Subject: RE: [logs] IIS and Windows Event log parser to generate reports



Ian,

 

You are somewhat ahead of me...  I have been looking at syslog-ng with a
mysql backend to do enterprise logging.  My specifics are:

 

IDS - Snort running ACID & Cisco 4235 appliance

FW - Symantic Enterprise Firewall (formerly Raptor)


Various unix and M$ devices as well...

 

I can copy the FW logs with supplied client(s) which is fairly close to
syslog format.  The Cisco IDS is the only one I have not conceptually
figured out yet.

 

Like you I am also looking for a IIS and Event Log parser or syslog hook...

 

 

 

Kevin Maute (RCF System/Security Admin)

mailto:kevin.maute@private

(937) 255-6565 x4250

 

-----Original Message-----
From: loganalysis-bounces+kevin.maute=afit.edu@private
[mailto:loganalysis-bounces+kevin.maute=afit.edu@private] On Behalf
Of Rudy, Ian # PHX
Sent: Thursday, February 26, 2004 6:01 PM
To: 'loganalysis@private'
Subject: [logs] IIS and Windows Event log parser to generate reports

 

All, 

I currently have a central syslog server (running Linux) that records events
from IDS, firewalls, routers, etc., and now Windows IIS logs and Windows
Event log messages.  I've been able to handle the current logs pretty well
but need some suggestions for dealing with the additional Windows event
information.  Does anybody know of any good scripts or parsing tools to
analyze the Windows IIS and Event Log information and generate reports
(preferably html)?  

Thanks in advance, 

Ian 
This E-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information.  Any unauthorized review,
use, disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.

This E-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply E-mail, and destroy all copies
of the original message.




_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tim Sailer: "Re: [logs] IIS and Windows Event log parser to generate reports"
• Previous message: Rudy, Ian # PHX: "RE: [logs] IIS and Windows Event log parser to generate reports"
• Maybe in reply to: Rudy, Ian # PHX: "[logs] IIS and Windows Event log parser to generate reports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 27 2004 - 10:04:39 PST