One of your most important resources when dealing with Windows security is the Windows Security log. Analyzing the events in your systems' Security log can help you zero in on potential threats or track down security breaches. The problem is that you can easily become bogged down in all the information these logs contain. For example, in Windows 2000 and later domains, the Security log of each domain controller (DC) contains a complete record of domain accountrelated logon failures. But sifting through all your DCs' Security logs to find failure-related events and filtering those events' descriptions to target the failures that might indicate threats can be a daunting challenge.
I introduced you to LogParser, a command-line utility that can read and query event logs from systems running Win2K or better, in "LogParser," May 2004, InstantDoc ID 42174. I showed you the basics of LogParser's SQL-like SELECT statements, which filter information according to event-log fields (e.g., EventID, EventType, TimeGenerated), and I explained how to perform simple string manipulations and more advanced SQL constructs (e.g., subselects, distinct queries). I also promised to show you how to use the tool's Strings field to extract information from an event's description. Doing so eliminates a lot of the manual work in detailed analyses such as the one I just described. . . .
