Hi John, Note the following: 1. 538 might not be generated in some cases. 538 is generated when a token is destroyed when its refcount reaches 0. If an app uses a token, increasing its refcount, and then loses track of it (a "token leak", similar to a memory leak or handle leak), then the refcount will never reach 0. 2. 528/538 don't take the "lock workstation" scenario into account. There is no lock workstation event. Unlock workstation causes a new pair of 528/538, logon type 7 (unlock workstation), but doesn't reference the logon id of the original logon session. 3. Logon ids can be re-used after reboot, and are only guaranteed unique between reboots on the same machine. 4. There is no logon event for LocalSystem, logon session (0x0,0x3E7). You have to infer it. Thanks, Eric ________________________________ From: loganalysis-bounces+ericf=windows.microsoft.com@private [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private] On Behalf Of Rovert John F DLVA Sent: Friday, February 27, 2004 10:00 AM To: 'loganalysis@private' Subject: RE: [logs] IIS and Windows Event log parser to generate reports I have developed something that generates a Report of the Windows Event ID error, failure and warning messages. I am currently developing a Unix script, I work on Solaris that will generate a Report(s) for the Windows Event ID messages 528 and 540 (Logins) and 538 (Logoffs) We use EventReporter to send the Windows Event Log information from our Windows boxes to the syslog file on one of our security boxes. At present the only thing these 2 scripts do is take the Windows Event Log Messages for a specified day and generate a Report for each message broken down by Windows box. It also outputs a summary of how many of each Event ID was seen for all messages (INF, AUS, ERR, WRN and AUF) I work for the Federal Government but I am sure I would be able to release these script to people that would like to use them, but it would take a few weeks to go through the management chain to get it approved John F. Rovert -----Original Message----- From: Rudy, Ian # PHX [mailto:ian.rudy@private] Sent: Friday, February 27, 2004 10:29 AM To: 'Maute Kevin Contr AFIT/SCBS'; loganalysis@private Subject: RE: [logs] IIS and Windows Event log parser to generate reports Kevin, I'm slighty one step ahead.. I've figured out how to get the IIS logs and Event logs to the syslog facility (SNARE http://www.intersectalliance.com/projects/SnareWindows/index.html).. now I want to be able to crunch those events into higher level html reports for trending and correlation. I too am using syslog-ng with a mysql backend but I also process the raw log files for PIX events and ACL events into high level html reports. I'm looking to identify a solution similiar to fwanalog (http://tud.at/programm/fwanalog/) for the IIS and Windows Event logs. I'd love to try the SNARE server portion but alas I'm not located in the Asia Pacific region where they are currently offering it. I've checked out a couple of other cheap commercial (around $100-200 US) but most of the Windows based analysis ones run on Windows and I was hoping to find something that could run on my Linux based central log server. I don't mind even doing the grunt work of having to figure out what trends and events I want to analyze just looking for a good log parsing engine with html output capabilities. Thanks, Ian -----Original Message----- From: Maute Kevin Contr AFIT/SCBS [mailto:Kevin.Maute@private] Sent: Friday, February 27, 2004 9:07 AM To: Rudy, Ian # PHX; loganalysis@private Subject: RE: [logs] IIS and Windows Event log parser to generate reports Ian, You are somewhat ahead of me... I have been looking at syslog-ng with a mysql backend to do enterprise logging. My specifics are: IDS - Snort running ACID & Cisco 4235 appliance FW - Symantic Enterprise Firewall (formerly Raptor) Various unix and M$ devices as well... I can copy the FW logs with supplied client(s) which is fairly close to syslog format. The Cisco IDS is the only one I have not conceptually figured out yet. Like you I am also looking for a IIS and Event Log parser or syslog hook... Kevin Maute (RCF System/Security Admin) mailto:kevin.maute@private (937) 255-6565 x4250 -----Original Message----- From: loganalysis-bounces+kevin.maute=afit.edu@private [mailto:loganalysis-bounces+kevin.maute=afit.edu@private] On Behalf Of Rudy, Ian # PHX Sent: Thursday, February 26, 2004 6:01 PM To: 'loganalysis@private' Subject: [logs] IIS and Windows Event log parser to generate reports All, I currently have a central syslog server (running Linux) that records events from IDS, firewalls, routers, etc., and now Windows IIS logs and Windows Event log messages. I've been able to handle the current logs pretty well but need some suggestions for dealing with the additional Windows event information. Does anybody know of any good scripts or parsing tools to analyze the Windows IIS and Event Log information and generate reports (preferably html)? Thanks in advance, Ian This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail, and destroy all copies of the original message. This E-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply E-mail, and destroy all copies of the original message. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Mar 12 2004 - 13:16:55 PST