Home page logo
/

basics logo Security Basics mailing list archives

Re: Event log counts...
From: H Carvey <keydet89 () yahoo com>
Date: 15 Dec 2004 19:10:37 -0000

In-Reply-To: <D6A65AD7EFCE8547809F48074D2C9A610A7F4078 () raccoon>

Ryan,

..."How many total event log entries are we generating per 
minute/hour/day/week/month across all 200 of our servers?" 

I'm currently at a loss as to how to answer
this question, and so I'm turning to the list for ideas. 

As I've suggested in the past...Perl.  Even if you don't know Perl, or any other programming language, it seems that 
you're looking for something that's a one-time deal, or may or may not be used on a regular basis...so freeware seems 
to be a good approach.

One way is to use the Win32::Lanman module to get the times/dates from the first and last recorded events in the 
various Event Logs, plus the total number of events.

In WMI, the Win32_NTEventLogFile class has a NumberOfRecords property (uint32 data type) that can also be used...via 
VBScript, Perl, or your language of choice.

If you want to keep the amount of actual programming to a minimum, I'd suggest going to SysInternals.com and getting 
psloglist.exe.  Use this to dump the Event Logs from your servers (or from a representative sampling of them), then the 
output (flat text files) can be easily parsed for the same information as above.  To reduce the programming even 
further, use psloglist.exe to dump the Event Log entries to a .csv file, open the file in Excel, get a count, and do 
simple subrtraction between the dates/times on the first and last entry.

Keep in mind...*what* you're logging is going to have an effect on the outcome of this exercise.

If you're interested in help with Perl coding on Windows, drop me a line.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]