Event Sink is intended to be a open source project to allow the free centralized real-time collection and analysis of Windows Event Logs to a SQL Database. Through a practical project for my SANS/GIAC certification (GCWN) I seem to have generated a reasonable starting point (it works!) that could be worked on by a community of interested users. Event Sink utilizes WMI, VBScript and SQL to provides essentially real-time event collection and event notification services for a potentially unlimited number of Windows based systems. It requires no exe's and has a zero footprint and was designed to always have zero cost. It was designed to facilitate easy sharing of analysis and reporting logic. I am employed during the day by the Faculty of Education at the University of Western Ontario in London Ontario Canada and we are currently using Event Sink in full production here. It supports two modes of operation, it can either PUSH events from the local machine to a central DB or it can PULL events from remote systems and then PUSH them to a central DB. In truth, it can actually do both at the same time. It is currently DB agnostic (so it could use MySQL/Oracle/etc instead of MS-SQL) and simply uses an ODBC DSN connection. The datastore that is created can be utilized by various methods (email notifications) and I am currently using VBScript from the command line, as a scheduled task and from web pages and it requires very little modification to switch between modes. I am hoping to find out what the level of interest in this type of a system and if there are others out there with WMI or VBScript of Event Logging in general that would be interested in collaborating. Basically, collecting the events is not hard (and I have that working, just need to make it more robust) the real work is in the analysing and alerting on the collected data. I am hoping that by collaborating and agreeing on a common data structure we will be able to easily share work between groups. I have hoisted up the ugliest project home page in history at http://www.edu.uwo.ca/eventsink/ Please respond directly so I can get an idea how many people would want a polished solution and how many people would be willing to contribute. Barron Mertens Senior Systems Engineer/Developer Faculty of Education, UWO London, ON, CANADA N6G 1G7 519-661-2111 x88662 Office #1095 FOE _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jun 24 2004 - 17:25:03 PDT