Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

January 09, 2003 12:00 AM

Event-Log Auditing, Part 1

Automate event log dumps
Steve Seguis
Windows IT Pro
InstantDoc ID #27574
Rating: (1)
Downloads
27574.zip

Network security is no longer an afterthought as it once was for many administrators. An increasing number of administrators are finding themselves involved in various security audits and spending large chunks of their shrinking IT budgets on security auditing tools. Administrators must sift through countless event logs just to answer basic questions about their networks' security.

Auditing event logs is a tedious but important task. Unfortunately, many of us aren't accustomed to saving event logs, so we end up with incomplete data that we must try to use to generate meaningful and accurate reports. The solution, at least going forward, is to automate the process of saving event logs and to create a useful and inexpensive way to generate reports from these logs. In this first article of a two-part series about event-log auditing, I step you through a script that dumps the Security logs for specified servers and saves the output as text files for later processing. In the next article, I'll describe a script to process these log dumps to create an audit of logons and logoffs based on usernames and date ranges.

PsLogList
In "Real-World Scripting: Scripting Tools on the Web," July 2001, http://www.winscriptingsolutions.com, InstantDoc ID 21277, Dick Lewis mentions the PsTools set of utilities from http://www.sysinternals.com, and one of these utilities, PsLogList, caught my eye. PsLogList lets you remotely output to a comma-separated value (CSV) format the event logs of a Windows XP, Windows 2000, or Windows NT machine. This output is ideal for scripting because you can use a simple For loop in an NT shell script to parse the CSV format. The basic syntax for using PsLogList to dump an event log into a file is

PsLogList -s <\\computer_name>
  <event_log> <target_file>

For example,

PsLogList -s \\MyPDC
  security pdclog.csv

dumps MyPDC's Security log to pdclog.csv. Note that initially, PsLogList might take a long time to run, especially if the log files are large, but if you run the tool daily, the runtime shouldn't be a problem.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • LISA
    8 years ago
    Oct 12, 2004

    This script has been incredibly useful, but I've recently encountered problems with it on AD domain controllers running Windows 2003, where the script scheduled to run every 24 hours. This isn't a problem with the script itself but I thought other readers might be interested.

    Very frequently, under this configuration, the process hangs and the resulting .csv doesn't ever close (or at least, doesn't close before the next scheduled collection starts). The results have been logs over 20 G in size and filled-up hard drives. A look at the Task Manager shows multiple PSLOGLIST processes running, one for each day the script was to have executed. I believe this is a result of the traffic being processed by the domain controllers - they're each logging about a million entries every 24 hours. The script is excellent on Windows 2000 (even domain controllers) and on Windows 2003 member servers. Just beware that a very busy security event log on a domain controller can cause this to hang.

    (A good solution here might be to get a few more domain controllers!)

    Thanks for an excellent forum.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.