RE: [logs] collecting remote windows logs

From: Jim Lancaster (jlancaster@private)
Date: Wed Sep 01 2004 - 11:24:08 PDT

(I found this thread and thought I'd jump in.  I hope I'm not too late.)

I have spent a lot of time using Win32::OLE (method #4) to pull events
from logs via WMI both locally and remotely.  Even when limiting the
query, you can nail a robust server for several seconds to several
minutes.  I've written a Windows event log agent in perl that sends the
poll results via SOAP (using SOAP::Lite) to a central server for
analysis.  It works well except for the utilization issue, so I'm
investigating abandoning the polling and subscribing to the events
realtime using WMI.

I'm also tossing around the idea of putting this project up on
SourceForge.  I have tried to use OO perl (self-taught programmer, what
can I say?) to create the Windows event log agent in such a way that the
code can be reused to create other agents for monitoring any kind of log
file, then transmitting via SOAP to an Apache server that inserts the
data in a MySQL database. From there, my intention was to use something
like Lire to do the data analysis and reporting.

I think this method could be easily expanded to include many different
log files in just about any format, and I really like the "distilled log
format" concept used by the Lire developers. As I said, I've got the
basic setup working.  I'm just running out of bandwidth.  Anyone
interested in helping out?

Jim Lancaster
Dallas, TX

-----Original Message-----
[] On
Behalf Of Jian Zhen
Sent: Friday, July 30, 2004 1:31 PM
To: loganalysis@private
Subject: Re: [logs] collecting remote windows logs

Hi all..

many thanks to everyone who's responded. I received many tips on how
this can be accomplished...basically i've gathered 4 ways...

1. Snare (or similar agents) sending to syslog...the kewl thing is
   that Intersect Alliance has provided a couple scripts that will
   allow you to install Snare onto remote machines in your domain...

2. DumpEvt...this is actually a pretty good way as you can dump 
   logs from local and remote machines and format it the way you 
   want it to...only thing is this is not real-time, so if you are
   looking for real-time, this is not the solution; however, in my
   case, I was not looking for real-time...

3. pretty good, since you can write your own
   script to do stuff, you can be flexible in what you want to keep
   or discard...not real-time...but you can easily write something
   that does what DumpEvt does with the added benefit of dumping the
   events to syslog...and still be agentless

4. Win32::OLE using'ly the most flexible solution, it can
   monitor for new log it can be a real-time solution..
   plus you have the flexibility of deciding what you want to do with
   the log once you receive it...send to syslog, discard, etc...however,
   i have read that this is pretty resource intensive...have not tested
   this approach to its limit tho...

again, thanks for the response and tips...


Jian Zhen (jlz@private) [040726 15:34]:
> Hi everyone,
> Was wondering if anyone has written anything to remotely collect
> logs.
> I wrote a couple perl scripts (ActivePerl), one using Win32::EventLog
> the other using Win32::OLE (WMI). Both of them work fine on the local 
> machine but I am having a bit of trouble getting it to work for remote

> machines.
> According to (search results from) Google, there's a Win32::OLD method
> "ConnectServer" in which one can use to connect to remote machines,
> I haven't been able to find any examples on using that with collecting
> logs.
> If you have any insight into this, I would love to chat with you.
> Thanks in advance
> Jian
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
LogAnalysis mailing list
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Sep 01 2004 - 22:55:37 PDT