RE: Managing Windows Event Logs

From: Chris Lynch (lynch00_at_cox.net)
Date: 06/23/03

  • Next message: Jonathan R. Thompson : "RE: Filtering DHCP Assignments by MAC Address" 
    To: "'Chuck Meeusen'" <cmeeusen@optonline.net>, <focus-ms@securityfocus.com>
Date: Mon, 23 Jun 2003 08:29:32 -0700

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I'm wondering why anyone hasn't suggested using WMI to query for WARNING and
    ERROR logs for the previous 24-hours or something like that? I have created
    a VBScript that goes out and queries computer objects within your NT/AD
    domain (using the WINNT provider, not the LDAP provider, but I do have an
    updated version of this). This script will create an HTML report that you
    can then go through server by server to see what event logs you need to
    examine.

    Chris Lynch

    - -----Original Message-----
    From: Chuck Meeusen [mailto:cmeeusen@optonline.net]
    Sent: Friday, June 20, 2003 1:28 PM
    To: focus-ms@securityfocus.com

    This discussion on event logs hits home for me. I'm attempting to build a
    system of gathering and archiving the event logs from a number (15 at
    present but must scale to 30-40) of NT and 2K servers.
    It's not pretty.

    My main source of information has been a document prepared for a SANS course
    called "Centralizing Event Logs on Windows 2000" by Greg Lalla. He scripts
    dumpevt.exe which I've found to be very effective and then bcp's the csv's
    into a SQL dbase.

    So I'm wondering what anyone else is doing to gather logs and archive?

    C.

    -
    ----------------------------------------------------------------------------
    -
    -
    ---------------------------------------------------------------------------- 

    --
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch
iQA/AwUBPvcc3G9fg+xq5T3MEQI6OQCguHwSa3Nqdf1Iwbq01eCOhpPuAzoAn2nT
v52++nbNCHwBUPhsEYmcpIX0
=2f+k
-----END PGP SIGNATURE-----
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
  • Next message: Jonathan R. Thompson : "RE: Filtering DHCP Assignments by MAC Address"

    Relevant Pages

    • RE: Accessing eventlogs remotely on W2K3 Server
      ... yes that really rocks - kiwisyslog is what you can use with ntsyslog for sending the logging info - all can be on windows and there is a free version that you can download and evulate ... We addressed this by configuring all of our event logs to log to a remote syslog server. ...
      (Focus-Microsoft)
    • Re: Server needing weekly reboots
      ... Further info from the event logs ... It starts in the DNS logs with ID ... Nick ... The server has 2gb RAM. ...
      (microsoft.public.windows.server.sbs)
    • Re: Accessing eventlogs remotely on W2K3 Server
      ... We addressed this by configuring all of our event logs to log to a remote syslog server. ...
      (Focus-Microsoft)
    • Re: Problem in Exchange, not many info in logs, please help!
      ... Clear the event logs on the server and connect with a client that has the ... Default Offline Address List ...
      (microsoft.public.windows.server.sbs)
    • Re: How to sort a comma delimited text file?
      ... > Trying to make a script that takes 4 different event log files, ... If you mean the Windows Event logs, these are not comma delimited files. ... Dim strComputer, objWMIService, colLoggedEvents, objEvent ...
      (microsoft.public.scripting.vbscript)