RE: [logs] IIS and Windows Event log parser to generate reports

From: Rovert John F DLVA (RovertJF@private)
Date: Fri Feb 27 2004 - 10:00:07 PST

  • Next message: Tim Sailer: "Re: [logs] IIS and Windows Event log parser to generate reports"

    I have developed something that generates a 
    Report of the Windows Event ID error, failure 
    and warning messages.
     
    I am currently developing a Unix script, I 
    work on Solaris that will generate a Report(s) 
    for the Windows Event ID messages 528 and 540 
    (Logins) and 538 (Logoffs)
     
    We use EventReporter to send the Windows Event
    Log information from our Windows boxes to the 
    syslog file on one of our security boxes.
     
    At present the only thing these 2 scripts do is 
    take the Windows Event Log Messages for a 
    specified day and generate a Report for each
    message broken down by Windows box.  It also 
    outputs a summary of how many of each Event ID 
    was seen for all messages (INF, AUS, ERR, WRN 
    and AUF)
     
    I work for the Federal Government but I am sure 
    I would be able to release these script to people 
    that would like to use them, but it would take a 
    few weeks to go through the management chain to 
    get it approved
     
    John F. Rovert
     
    
    -----Original Message-----
    From: Rudy, Ian # PHX [mailto:ian.rudy@private]
    Sent: Friday, February 27, 2004 10:29 AM
    To: 'Maute Kevin Contr AFIT/SCBS'; loganalysis@private
    Subject: RE: [logs] IIS and Windows Event log parser to generate reports
    
    
    Kevin,
     
    I'm slighty one step ahead.. I've figured out how to get the IIS logs and
    Event logs to the syslog facility (SNARE
    http://www.intersectalliance.com/projects/SnareWindows/index.html
    <http://www.intersectalliance.com/projects/SnareWindows/index.html> ).. now
    I want to be able to crunch those events into higher level html reports for
    trending and correlation.  I too am using syslog-ng with a mysql backend but
    I also process the raw log files for PIX events and ACL events into high
    level html reports.  I'm looking to identify a solution similiar to fwanalog
    ( http://tud.at/programm/fwanalog/) <http://tud.at/programm/fwanalog/)>  for
    the IIS and Windows Event logs.  I'd love to try the SNARE server portion
    but alas I'm not located in the Asia Pacific region where they are currently
    offering it.  I've checked out a couple of other cheap commercial (around
    $100-200 US) but most of the Windows based analysis ones run on Windows and
    I was hoping to find something that could run on my Linux based central log
    server.  I don't mind even doing the grunt work of having to figure out what
    trends and events I want to analyze just looking for a good log parsing
    engine with html output capabilities.
     
    Thanks,
    Ian
     
    -----Original Message-----
    From: Maute Kevin Contr AFIT/SCBS [mailto:Kevin.Maute@private] 
    Sent: Friday, February 27, 2004 9:07 AM
    To: Rudy, Ian # PHX; loganalysis@private
    Subject: RE: [logs] IIS and Windows Event log parser to generate reports
    
    
    
    Ian,
    
     
    
    You are somewhat ahead of me...  I have been looking at syslog-ng with a
    mysql backend to do enterprise logging.  My specifics are:
    
     
    
    IDS - Snort running ACID & Cisco 4235 appliance
    
    FW - Symantic Enterprise Firewall (formerly Raptor)
    
    
    Various unix and M$ devices as well...
    
     
    
    I can copy the FW logs with supplied client(s) which is fairly close to
    syslog format.  The Cisco IDS is the only one I have not conceptually
    figured out yet.
    
     
    
    Like you I am also looking for a IIS and Event Log parser or syslog hook...
    
     
    
     
    
     
    
    Kevin Maute (RCF System/Security Admin)
    
    mailto:kevin.maute@private
    
    (937) 255-6565 x4250
    
     
    
    -----Original Message-----
    From: loganalysis-bounces+kevin.maute=afit.edu@private
    [mailto:loganalysis-bounces+kevin.maute=afit.edu@private] On Behalf
    Of Rudy, Ian # PHX
    Sent: Thursday, February 26, 2004 6:01 PM
    To: 'loganalysis@private'
    Subject: [logs] IIS and Windows Event log parser to generate reports
    
     
    
    All, 
    
    I currently have a central syslog server (running Linux) that records events
    from IDS, firewalls, routers, etc., and now Windows IIS logs and Windows
    Event log messages.  I've been able to handle the current logs pretty well
    but need some suggestions for dealing with the additional Windows event
    information.  Does anybody know of any good scripts or parsing tools to
    analyze the Windows IIS and Event Log information and generate reports
    (preferably html)?  
    
    Thanks in advance, 
    
    Ian 
    This E-mail message is for the sole use of the intended recipient(s) and may
    contain confidential and privileged information.  Any unauthorized review,
    use, disclosure or distribution is prohibited.  If you are not the intended
    recipient, please contact the sender by reply E-mail, and destroy all copies
    of the original message.
    
    This E-mail message is for the sole use of the intended recipient(s) and may
    contain confidential and privileged information. Any unauthorized review,
    use, disclosure or distribution is prohibited. If you are not the intended
    recipient, please contact the sender by reply E-mail, and destroy all copies
    of the original message.
    
    
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Feb 27 2004 - 10:04:39 PST