Re: process tracking
From: Joanna Rutkowska (joanna_at_mailsnare.net)
Date: 03/28/04
- Previous message: Robert Blackwell: "RE: process tracking"
- In reply to: Tomasz Onyszko: "Re: process tracking"
- Next in thread: Robert Blackwell: "RE: process tracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Mar 2004 11:24:51 +0200 (Central European Daylight Time) To: Tomasz Onyszko <t.onyszko@w2k.pl>
after a quick look at this tool, it seems to treat event message string as
one field. but this field is actually most interesting when considering
process tracking (event 593), and this is actually the field which causes
most problems with extracting arguments from, since it contains the image
file name, which can contain spaces. and this is too difficult to parse
automatically, since spaces are also used to delimit other subfields, like
parent process PID...
j.
On Fri, 26 Mar 2004, Tomasz Onyszko wrote:
> > me about:
> >
> > dumpel -f procs.txt -e 592 593 -m security -l security
> >
> use logParser - dump this events to XML or database
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------
- Previous message: Robert Blackwell: "RE: process tracking"
- In reply to: Tomasz Onyszko: "Re: process tracking"
- Next in thread: Robert Blackwell: "RE: process tracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
