RE: [logs] collecting remote windows logs

From: Harlan Carvey (keydet89@private)
Date: Thu Sep 02 2004 - 05:06:37 PDT


> (I found this thread and thought I'd jump in.  I
> hope I'm not too late.)
> I have spent a lot of time using Win32::OLE (method
> #4) to pull events
> from logs via WMI both locally and remotely.  

For what it's worth, I've done a lot of the same
thing.  I started w/ Win32::EventLog, went to
::Lanman, and now use Win32::OLE to implement WMI.

> I'm also tossing around the idea of putting this
> project up on SourceForge.  

Not a bad idea.

> I have tried to use OO perl (self-taught programmer,
> what can I say?) 

As am I.  I started years ago w/ BASIC, Pascal, and
did some C/C++ in grad school, but really started
programming in Java, then moved to Perl.

A recent project I've been designing in support of my
book is a Win32 service that at it's core is a syslog
client.  However, unlike some clients for Windows, I'm
going to use WMI to do real-time collection.  Also,
I'm including other functionality at service start,
such as checking the audit policy for changes, etc.

All that aside, though, the real issue as I see it
isn't so much data collection as it is data analysis. 
Looking just at Event Logs, what's a good way of doing
this?  Then, including things such as IIS logs into
the mix...what then?  Even within the same
environment, admins may have different requirements. 
I'm sure there are some basic things one can look at,
such as frequency of events (a la Marcus Ranum's
"artificial ignorance"); therefore, a basic reporting
infrastructure can be created around the project.

Just some thoughts...drop me a line if you want to
discuss this...

"Windows Forensics and Incident Recovery"
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Sep 02 2004 - 10:24:42 PDT