[logs] Re: Reviewing Vista/2k3 log files from the same platform

rgerhards@private

Tim,

I guess logparser is using the new APIs. If we use them, everything
seems to work OK. But if you use the older APIs (which are claimed to be
still functional), there are problems. Sorry for omitting this. The old
APIs are quite important because there are view implementations that
support the new ones.

Rainer

> -----Original Message-----
> From: Tim Rohrbaugh [mailto:trohrbaugh@private]
> Sent: Monday, January 08, 2007 7:43 PM
> To: Rainer Gerhards; 'Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]';
> 'LogAnalysis'
> Subject: RE: [logs] Re: Reviewing Vista/2k3 log files from the same
> platform
> 
> I am sure there are problems as listed below but Logparser 2.2 was
> tested
> from x64 Vista connecting to a x86 2K3/XP without any problems. I also
> tested it from XP x64 to a Vista x64 with similar success.
> 
> 
> -----Original Message-----
> From: loganalysis-bounces+trohrbaugh=aidefense.com@private
> [mailto:loganalysis-bounces+trohrbaugh=aidefense.com@private]
> On
> Behalf Of Rainer Gerhards
> Sent: Monday, January 08, 2007 8:53 AM
> To: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]; LogAnalysis
> Subject: [logs] Re: Reviewing Vista/2k3 log files from the same
> platform
> 
> This seems to be related to the ressource DLLs. x64 seems to be unable
> to load the x32 dlls and vice versa. Under XP 64bit, a 64bit app could
> load the 32 bit ressource files. We currently have logged an
> application
> developer support request with Microsoft. Even the native API has some
> considerable problems on Vista. Our support request has been escalated
> and no definitive answer is yet provided. We have been clued that
there
> may be a bug in Vista.
> 
> I hope this information is useful. But in short, this time it seems to
> be problematic.
> 
> If I get some definitive response, I can post that.
> 
> Rainer Gerhards
> 
> > -----Original Message-----
> > From: loganalysis-bounces+rgerhards=hq.adiscon.com@private
> >
[mailto:loganalysis-bounces+rgerhards=hq.adiscon.com@private]
> > On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> > Sent: Sunday, January 07, 2007 8:39 AM
> > To: 'LogAnalysis'
> > Subject: [logs] Reviewing Vista/2k3 log files from the same platform
> >
> > So I was looking at a 2k3 log file.. and I did it on my test Vista
> > laptop... and I know and understand that Vista has new event IDs...
> so
> > I'm cool with that.. what I didn't realize is that apparently I
can't
> > use the Vista MS Event viewer to open up 2k3/XP log files and review
> > what's going on... that even such events as 529 have lost
> information.
> >
> > 1.  Is my conclusion correct?
> > 2.  What are the gurus of log viewing doing to be able to read logs
> > from
> > xp,2k3,Vista and ultimately Longhorn without firing up each
platform?
> >
> > When I'm doing a quick log file review... I just use what's native
to
> > the box.  Sorry for the stupid question... but what's a better way
to
> > do
> > this?
> >
> > Log Name:
> >
>
C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS_000.zip\
> > 1-6-07
> > sec.evt
> > Source:        Security
> > Date:          1/5/2007 9:18:42 PM
> > Event ID:      529
> > Task Category: Logon/Logoff
> > Level:         Information
> > Keywords:      Classic,Audit Failure
> > User:          SYSTEM
> > Computer:      ROYAL
> > Description:
> > The description for Event ID 529 from source Security cannot be
> found.
> > Either the component that raises this event is not installed on your
> > local computer or the installation is corrupted. You can install or
> > repair the component on the local computer.
> >
> > If the event originated on another computer, the display information
> > had
> > to be saved with the event.
> >
> > The following information was included with the event:
> >
> > abc123
> > 3
> > Advapi  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > ROYAL
> > ROYAL$
> > PREFERRED
> > (0x0,0x3E7)
> > 1012
> > -
> > -
> > -
> >
> > The substitution string for insert index (%1) could not be found
> >
> > Event Xml:
> > <Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> >  <System>
> >    <Provider Name="Security" />
> >    <EventID Qualifiers="0">529</EventID>
> >    <Level>0</Level>
> >    <Task>2</Task>
> >    <Keywords>0x90000000000000</Keywords>
> >    <TimeCreated SystemTime="2007-01-06T05:18:42.000Z" />
> >    <EventRecordID>5968</EventRecordID>
> >
> >
>
<Channel>C:\Users\Susan.VISTATEST\AppData\Local\Temp\Temp1_LastNite_FWS
> > _000.zip\1-6-07
> > sec.evt</Channel>
> >    <Computer>ROYAL</Computer>
> >    <Security UserID="S-1-5-18" />
> >  </System>
> >  <EventData>
> >    <Data>abc123</Data>
> >    <Data>
> >    </Data>
> >    <Data>3</Data>
> >    <Data>Advapi  </Data>
> >    <Data>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
> >    <Data>ROYAL</Data>
> >    <Data>ROYAL$</Data>
> >    <Data>PREFERRED</Data>
> >    <Data>(0x0,0x3E7)</Data>
> >    <Data>1012</Data>
> >    <Data>-</Data>
> >    <Data>-</Data>
> >    <Data>-</Data>
> >  </EventData>
> > </Event>
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis@private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis