RE: Win2k log management

From: Gabriel Aguilera (gabriel@unicraft.com)
Date: 01/29/03

  • Next message: Thomas Cameron: "RE: uh, oh (was:Re: w2k server compromised)"
    Date: Wed, 29 Jan 2003 13:28:07 -0300
    From: "Gabriel Aguilera" <gabriel@unicraft.com>
    To: <focus-ms@securityfocus.com>
    
    

    Sorry if I'm lost here... but isn't the use of this perl script the same
    thing as Event Viewer > Connect to another computer... option but in a
    script fashion? Maybe useful for offline reviewing.
    I think there is a difference in asking for a centralized place where to
    watch the logs and the option of having a centralized management
    solution that can handle some sort of analysis in a distributed fashion
    of the server farm.
    IF the problem here is "walking around" well... then open your MMC
    console and read/save the remote logs from your desktop/laptop computer.
    Else I would recommend a solution that can handle the fact that a server
    might go down because of another server in the farm having trouble. I
    know MOM (Microsoft Operations Manager) (This used to be NetIQ´s
    management solution) can handle this... but it's kind of expensive
    though.

    Gabriel

    -----Original Message-----
    From: Arendt, Jordan LRN [mailto:Jordan.Arendt@sasked.gov.sk.ca]
    Sent: Tuesday, January 28, 2003 2:51 PM
    To: 'Zimin, Alex'; defaillance@hushmail.com; focus-ms@securityfocus.com
    Subject: RE: Win2k log management

    Nice perl script that we use for NT, and I believe works with win2k.

    http://perlmonks.thepen.com/15057.html

    I've modified it and added some comments/documentation.

    ########################################################################
    #
    # Original Script came from: http://perlmonks.thepen.com/15057.html
    # Modified by: Jordan Arendt on May 23, 2002
    # Script Name: eventdump.pl

    # Comments:

    # There are several things that need to be done for setup
    # 1. Create a directory called c:\event_logs on every server
    # that you are going to want to dump the eventlogs from.

    # 2. Share that directory with a share name of event_logs
    # 3. Change ZEPHYR to whatever server you want to store your logs
    on.
    # 4. On the server Zephyr (or whatever you've changed it to)

    # create a directory event_logs and share it as event_logs
    # 5. Create the directories event_logs\Application
    # ,event_logs\Security, and event_logs\System on Zephyr
    # 6. Add the servers you want to get the logs from to the
    # @servers line. ex. @servers = ("S1","S2","S3");
    # 7. Create a directory c:\event_logs on each server you are
    # dumping logs from and share it as event_logs
    # 8. Active State Perl needs to be installed on the machine you
    # want to run this from. You can schedule it with the
    # scheduler with the command: perl eventdump.pl

    #
    ########################################################################
    #
    use Win32::EventLog;
    use File::Copy;
    use Time::localtime;
    open(OUTFH,"+>>\\\\ZEPHYR\\event_logs\\buerrs.log");
    @servers = ("S1","S2","S3","S4");
    @logs = ("System","Application","Security");
    #($sec,$min,$hour,$mday,$mon,$year) = localtime();
    $year = localtime->year() + 1900;
    $month = localtime->mon()+1;
    $day = localtime->mday();
    $hour = localtime->hour();
    $min = localtime->min();
    $sec = localtime->sec();
    $date = join("_",$year,$month,$day,$hour,$min,$sec);

    for ( $i = 0; $i <= $#servers ; $i++ )
    {
        foreach $eventlog (@logs)
        {

            $filename = $eventlog. "_" . $servers[$i] . "_" . $date;
            $handle = Win32::EventLog->new("$eventlog","\\\\$servers[$i]")
    or
                die "Can't open $eventlog Eventlog on $servers[$i]:$!\n";

    # The directory event_logs was created on each server.

            $handle->Clear("c:\\event_logs\\$filename.evt") or
                print OFH "Could not clear and backup the $eventlog Eventlog
    on
    $servers[$i]\n";
            $handle->Close;
     
    move("\\\\$servers[$i]\\event_logs\\$filename.evt","\\\\ZEPHYR\\event_lo
    gs\\
    $eventlog\\$filename.evt")
                or warn "Could not move $filename to ZEPHYR:$!\n";
        }
    }
    close OUTFH;

    -----Original Message-----
    From: Zimin, Alex [mailto:alex@towerrecords.com]
    Sent: January 24, 2003 4:11 PM
    To: defaillance@hushmail.com; focus-ms@securityfocus.com
    Subject: RE: Win2k log management

    Try event log management tools from "Dorian Software".
    http://www.doriansoft.com/

    Alex.

    > -----Original Message-----
    > From: defaillance@hushmail.com [mailto:defaillance@hushmail.com]
    > Sent: Friday, January 24, 2003 10:04 AM
    > To: focus-ms@securityfocus.com
    > Subject: Win2k log management
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    >
    > I am currently administering over 10 server(advanced) and 20
    > workstation (pro), The management of
    > event/security/application log has become unbeareable,so im
    > looking for a centralized management solution were the
    > informatin would be gather from server/workstation to a
    > specific server, so the question is: Anyone aware of such a
    > software that could do the job ? commercial or freeware, I
    > basically just want to avoid having to walk over to check
    > them manually.
    >
    > also if anyone who has faced this situation is willing to
    > share their knowledge on the subject...
    >
    > Thanks
    > -----BEGIN PGP SIGNATURE-----
    > Version: Hush 2.2 (Java)
    > Note: This signature can be verified at
    > https://www.hushtools.com/verify
    >
    >
    > wl8EARECACAFAj4xf/sZHGRlZmFpbGxhbmNlQGh1c2htYWlsLmNvbQAKCRAAqpYJlh8f
    > xQ7GAJ9+/LTX1k/uD/cY6mzx8iPKehJGhgCY8S0SZc03cmWwXsZwQBpQ8K7Rog==
    > =4gCk
    > -----END PGP SIGNATURE-----
    >
    >
    >
    >
    > Concerned about your privacy? Follow this link to get
    > FREE encrypted email: https://www.hushmail.com/?l=2
    >
    > Big $$$ to be made with the HushMail Affiliate Program:
    > https://www.hushmail.com/about.php?subloc=affiliate&l=427
    >



    Relevant Pages

    • RE: Win2k log management
      ... Nice perl script that we use for NT, and I believe works with win2k. ... # The directory event_logs was created on each server. ... Try event log management tools from "Dorian Software". ... > Subject: Win2k log management ...
      (Focus-Microsoft)
    • eGroupWare (was Re: [opensuse] wheres novell? (bit of a rant))
      ... For server end Synchronisation there is also Funambol/Sync4j ... Project management, knowledge base, wiki, accounting, ... from my experience of using egw on a kind of extended trial... ... this is something I believe Funambol does better. ...
      (SuSE)
    • full time AIX Admin, El Dorado Hills, CA Large Firm
      ... The Senior AIX UNIX Engineer will report to the Manager of the Infrastructure ... implementation and management ... MS SQL Server, etc.). ...
      (comp.unix.solaris)
    • Re: Leveling by ID vs. "Standard"
      ... of this trade called Project Management. ... a database for the "Project Tables," ... to write reports on data from the server database. ... product supporting queries created with SQL. ...
      (microsoft.public.project)
    • Managing our complete company using Microsoft products
      ... Directory, Mail Server, File Server and Print Server. ... Directory and network, while the other one has 6 peer-to-peer Windows 2000 ... We do not have a system administrator, and we do not have the resources or ... who wrote this are doing all of their project management and enterprise ...
      (microsoft.public.project)