Tuesday, April 05, 2005

Security Event Log Resource

I received a message from one of the lists I belong to today, pointing out this Windows Security Event Log resource. This looks like an excellent way to get started with parsing scripts, or to simply better understand the messages that appear in the Event Log.

I'd start with psloglist.exe to extract the information from the logs, then parse the output using Perl, and a flat text database with the event information. The db could be used simply to filter the entries, or to add information to the output.

4 comments:

Anonymous said...

Microsoft has a great database of event info online, you can get to it quickly with a URL like
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=[Source; e.g, security]&EvtID=[event number]&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2[or the appropriate version]

Or, you can embed a link the r script output can link directly to the microsoft events too. If you put an event in XML format something like this:

<event>
<time>10:33:31 PM</time>
<date>2/13/2005</date>
<type>16</type>
<typedesc>Audit-Failure</typedesc>
<category>2</category>
<id>533</id>
<source>Security</source>
<user>NT AUTHORITY\SYSTEM</user>
<computer></computer>
<strings>yada yada</strings>
</event>

Then with msxml.exe, this style sheet will give you an html output with an embedded link directly to microsoft's description of the event:

<xsl:template match="event">
<a target="eventref">
<xsl:attribute name="href">http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=<xsl:value-of select="source" />&EvtID=<xsl:value-of select="id" />&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2</xsl:attribute>
Event <xsl:value-of select="id" />
</a>,
<xsl:value-of select="category" />,
<xsl:value-of select="typedesc" />,
<xsl:value-of select="date" />,
<xsl:value-of select="time" />,
User: <xsl:value-of select="user" />,
Computer: <xsl:value-of select="computer" />
<br />
<xsl:value-of select="strings" />
</xsl:template>

H. Carvey said...

Very cool! The page to start at for searching is here:

http://www.microsoft.com/technet/support/eventserrors.mspx

Choose your product, and just go from there...

Anonymous said...

Why not skip the middle-man (psloglist) if you're going to use Perl and go with routines utilizing Win32::EventLog to retrieve event log entries?

H. Carvey said...

Some of the Perl-based stuff is a little slow for my tastes...even using Win32::OLE to implement WMI classes on the local system. Tools like psloglist.exe seem to be much faster, so I use those and dump the output to an easily-parsed format.