tag:blogger.com,1999:blog-9518042.post111272194560439965..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Security Event Log ResourceUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-1112974939489905442005-04-08T10:42:00.000-05:002005-04-08T10:42:00.000-05:00Some of the Perl-based stuff is a little slow for ...Some of the Perl-based stuff is a little slow for my tastes...even using Win32::OLE to implement WMI classes on the local system. Tools like psloglist.exe seem to be much faster, so I use those and dump the output to an easily-parsed format.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1112945287995846692005-04-08T02:28:00.000-05:002005-04-08T02:28:00.000-05:00Why not skip the middle-man (psloglist) if you're ...Why not skip the middle-man (psloglist) if you're going to use Perl and go with routines utilizing Win32::EventLog to retrieve event log entries?Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1112896698901594042005-04-07T12:58:00.000-05:002005-04-07T12:58:00.000-05:00Very cool! The page to start at for searching is ...Very cool! The page to start at for searching is here:<BR/><BR/>http://www.microsoft.com/technet/support/eventserrors.mspx<BR/><BR/>Choose your product, and just go from there...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1112896162528396882005-04-07T12:49:00.000-05:002005-04-07T12:49:00.000-05:00Microsoft has a great database of event info onlin...Microsoft has a great database of event info online, you can get to it quickly with a URL like<BR/>http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=[Source; e.g, security]&EvtID=[event number]&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2[or the appropriate version]<BR/><BR/>Or, you can embed a link the r script output can link directly to the microsoft events too. If you put an event in XML format something like this:<BR/><BR/><event><BR/> <time>10:33:31 PM</time><BR/> <date>2/13/2005</date><BR/> <type>16</type><BR/> <typedesc>Audit-Failure</typedesc><BR/> <category>2</category><BR/> <id>533</id><BR/> <source>Security</source><BR/> <user>NT AUTHORITY\SYSTEM</user><BR/> <computer></computer><BR/> <strings>yada yada</strings><BR/></event><BR/><BR/>Then with msxml.exe, this style sheet will give you an html output with an embedded link directly to microsoft's description of the event:<BR/><BR/><xsl:template match="event"><BR/> <a target="eventref"><BR/> <xsl:attribute name="href">http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=<xsl:value-of select="source" />&EvtID=<xsl:value-of select="id" />&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.2</xsl:attribute><BR/> Event <xsl:value-of select="id" /><BR/> </a>, <BR/> <xsl:value-of select="category" />, <BR/> <xsl:value-of select="typedesc" />, <BR/> <xsl:value-of select="date" />,<BR/> <xsl:value-of select="time" />, <BR/> User: <xsl:value-of select="user" />, <BR/> Computer: <xsl:value-of select="computer" /><BR/> <br /><BR/> <xsl:value-of select="strings" /><BR/></xsl:template>Anonymousnoreply@blogger.com