[logs] Re: Reviewing Vista/2k3 log files from the same platform

From: Desai, Ashish (Ashish.Desai@private)
Date: Mon Jan 08 2007 - 06:43:48 PST


Hello,

Did you try "logparser" from MSFT to see what it does?
http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.ms
px

http://www.microsoft.com/technet/scriptcenter/tools/logparser/lpfeatures
.mspx


Ashish Desai
Internet Channel Security
Fidelity Investments 

-----Original Message-----
From: loganalysis-bounces+ashish.desai=fmr.com@private
[mailto:loganalysis-bounces+ashish.desai=fmr.com@private] On
Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, January 07, 2007 2:39 AM
To: 'LogAnalysis'
Subject: [logs] Reviewing Vista/2k3 log files from the same platform

So I was looking at a 2k3 log file.. and I did it on my test Vista 
laptop... and I know and understand that Vista has new event IDs... so 
I'm cool with that.. what I didn't realize is that apparently I can't 
use the Vista MS Event viewer to open up 2k3/XP log files and review 
what's going on... that even such events as 529 have lost information.

1.  Is my conclusion correct?
2.  What are the gurus of log viewing doing to be able to read logs from

xp,2k3,Vista and ultimately Longhorn without firing up each platform?

When I'm doing a quick log file review... I just use what's native to 
the box.  Sorry for the stupid question... but what's a better way to do

this?

Log Name:      
C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\1
-6-07 
sec.evt
Source:        Security
Date:          1/5/2007 9:18:42 PM
Event ID:      529
Task Category: Logon/Logoff
Level:         Information
Keywords:      Classic,Audit Failure
User:          SYSTEM
Computer:      ROYAL
Description:
The description for Event ID 529 from source Security cannot be found. 
Either the component that raises this event is not installed on your 
local computer or the installation is corrupted. You can install or 
repair the component on the local computer.

If the event originated on another computer, the display information had

to be saved with the event.

The following information was included with the event:

abc123
3
Advapi  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
ROYAL
ROYAL$
PREFERRED
(0x0,0x3E7)
1012
-
-
-

The substitution string for insert index (%1) could not be found

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Security" />
   <EventID Qualifiers="0">529</EventID>
   <Level>0</Level>
   <Task>2</Task>
   <Keywords>0x90000000000000</Keywords>
   <TimeCreated SystemTime="2007-01-06T05:18:42.000Z" />
   <EventRecordID>5968</EventRecordID>
   
<Channel>C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_
000.zip\1-6-07 
sec.evt</Channel>
   <Computer>ROYAL</Computer>
   <Security UserID="S-1-5-18" />
 </System>
 <EventData>
   <Data>abc123</Data>
   <Data>
   </Data>
   <Data>3</Data>
   <Data>Advapi  </Data>
   <Data>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
   <Data>ROYAL</Data>
   <Data>ROYAL$</Data>
   <Data>PREFERRED</Data>
   <Data>(0x0,0x3E7)</Data>
   <Data>1012</Data>
   <Data>-</Data>
   <Data>-</Data>
   <Data>-</Data>
 </EventData>
</Event>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Jan 08 2007 - 09:41:55 PST