Jim, > (I found this thread and thought I'd jump in. I > hope I'm not too late.) > > I have spent a lot of time using Win32::OLE (method > #4) to pull events > from logs via WMI both locally and remotely. For what it's worth, I've done a lot of the same thing. I started w/ Win32::EventLog, went to ::Lanman, and now use Win32::OLE to implement WMI. > I'm also tossing around the idea of putting this > project up on SourceForge. Not a bad idea. > I have tried to use OO perl (self-taught programmer, > what can I say?) As am I. I started years ago w/ BASIC, Pascal, and did some C/C++ in grad school, but really started programming in Java, then moved to Perl. A recent project I've been designing in support of my book is a Win32 service that at it's core is a syslog client. However, unlike some clients for Windows, I'm going to use WMI to do real-time collection. Also, I'm including other functionality at service start, such as checking the audit policy for changes, etc. All that aside, though, the real issue as I see it isn't so much data collection as it is data analysis. Looking just at Event Logs, what's a good way of doing this? Then, including things such as IIS logs into the mix...what then? Even within the same environment, admins may have different requirements. I'm sure there are some basic things one can look at, such as frequency of events (a la Marcus Ranum's "artificial ignorance"); therefore, a basic reporting infrastructure can be created around the project. Just some thoughts...drop me a line if you want to discuss this... Harlan http://www.windows-ir.com "Windows Forensics and Incident Recovery" _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Sep 02 2004 - 10:24:42 PDT