(I found this thread and thought I'd jump in. I hope I'm not too late.) I have spent a lot of time using Win32::OLE (method #4) to pull events from logs via WMI both locally and remotely. Even when limiting the query, you can nail a robust server for several seconds to several minutes. I've written a Windows event log agent in perl that sends the poll results via SOAP (using SOAP::Lite) to a central server for analysis. It works well except for the utilization issue, so I'm investigating abandoning the polling and subscribing to the events realtime using WMI. I'm also tossing around the idea of putting this project up on SourceForge. I have tried to use OO perl (self-taught programmer, what can I say?) to create the Windows event log agent in such a way that the code can be reused to create other agents for monitoring any kind of log file, then transmitting via SOAP to an Apache server that inserts the data in a MySQL database. From there, my intention was to use something like Lire to do the data analysis and reporting. I think this method could be easily expanded to include many different log files in just about any format, and I really like the "distilled log format" concept used by the Lire developers. As I said, I've got the basic setup working. I'm just running out of bandwidth. Anyone interested in helping out? Jim Lancaster Dallas, TX -----Original Message----- From: loganalysis-bounces+jlancaster=sagiss.com@private [mailto:loganalysis-bounces+jlancaster=sagiss.com@private] On Behalf Of Jian Zhen Sent: Friday, July 30, 2004 1:31 PM To: loganalysis@private Subject: Re: [logs] collecting remote windows logs Hi all.. many thanks to everyone who's responded. I received many tips on how this can be accomplished...basically i've gathered 4 ways... 1. Snare (or similar agents) sending to syslog...the kewl thing is that Intersect Alliance has provided a couple scripts that will allow you to install Snare onto remote machines in your domain... 2. DumpEvt...this is actually a pretty good way as you can dump logs from local and remote machines and format it the way you want it to...only thing is this is not real-time, so if you are looking for real-time, this is not the solution; however, in my case, I was not looking for real-time... 3. Win32::EventLog...works pretty good, since you can write your own script to do stuff, you can be flexible in what you want to keep or discard...not real-time...but you can easily write something that does what DumpEvt does with the added benefit of dumping the events to syslog...and still be agentless 4. Win32::OLE using WMI...pro'ly the most flexible solution, it can monitor for new log entries...so it can be a real-time solution.. plus you have the flexibility of deciding what you want to do with the log once you receive it...send to syslog, discard, etc...however, i have read that this is pretty resource intensive...have not tested this approach to its limit tho... again, thanks for the response and tips... Jian Jian Zhen (jlz@private) [040726 15:34]: > Hi everyone, > > Was wondering if anyone has written anything to remotely collect windows > logs. > > I wrote a couple perl scripts (ActivePerl), one using Win32::EventLog and > the other using Win32::OLE (WMI). Both of them work fine on the local > machine but I am having a bit of trouble getting it to work for remote > machines. > > According to (search results from) Google, there's a Win32::OLD method called > "ConnectServer" in which one can use to connect to remote machines, but > I haven't been able to find any examples on using that with collecting > logs. > > If you have any insight into this, I would love to chat with you. > > Thanks in advance > > Jian > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Sep 01 2004 - 22:55:37 PDT