Harlan and Jim, What's your experience in the performance of using Win32::EventLog or Win32::OLE (for WMI)? E.g. how many machines, how much auditing turned on? Thanks much Jian Harlan Carvey (keydet89@private) [040902 08:24]: > Jim, > > > (I found this thread and thought I'd jump in. I > > hope I'm not too late.) > > > > I have spent a lot of time using Win32::OLE (method > > #4) to pull events > > from logs via WMI both locally and remotely. > > For what it's worth, I've done a lot of the same > thing. I started w/ Win32::EventLog, went to > ::Lanman, and now use Win32::OLE to implement WMI. > > > I'm also tossing around the idea of putting this > > project up on SourceForge. > > Not a bad idea. > > > I have tried to use OO perl (self-taught programmer, > > what can I say?) > > As am I. I started years ago w/ BASIC, Pascal, and > did some C/C++ in grad school, but really started > programming in Java, then moved to Perl. > > A recent project I've been designing in support of my > book is a Win32 service that at it's core is a syslog > client. However, unlike some clients for Windows, I'm > going to use WMI to do real-time collection. Also, > I'm including other functionality at service start, > such as checking the audit policy for changes, etc. > > All that aside, though, the real issue as I see it > isn't so much data collection as it is data analysis. > Looking just at Event Logs, what's a good way of doing > this? Then, including things such as IIS logs into > the mix...what then? Even within the same > environment, admins may have different requirements. > I'm sure there are some basic things one can look at, > such as frequency of events (a la Marcus Ranum's > "artificial ignorance"); therefore, a basic reporting > infrastructure can be created around the project. > > Just some thoughts...drop me a line if you want to > discuss this... > > Harlan > http://www.windows-ir.com > "Windows Forensics and Incident Recovery" _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Sep 02 2004 - 10:37:21 PDT