RE: Central Win2000 auditing logs

From: Ben Collins (BenCollins_at_gateshead.gov.uk)
Date: 06/19/03

  • Next message: Robinson, Sonja: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?" 
    To: 'Stephen Gay' <sgay@ellijay.com>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Thu, 19 Jun 2003 09:54:47 +0100

    I use the following perl script, its a bit dirty but it works. When you've
    collected the logs you can process them using CyberSafe Log Analyst from the
    2K resource kit.

    Ben.

    #--------------------------------------------------------------------------- 

    ----
#
# Backup and Clear Security EventLogs.
# Version 1.2
# Ben Collins
# 18/09/2002
#
#---------------------------------------------------------------------------
----
#
# Add the names of servers to the file serverlist.txt in the same directory
# as this script.
#
#---------------------------------------------------------------------------
----
use Win32::EventLog;
use Win32API::File 0.08 qw( :ALL );
# Get today's date.
$Date=join("-", ((split(/\s+/, scalar(localtime)))[2,1,4]));
# Create a directory with today's date.
$Directory="g:\\seclogs\\$Date";
mkdir($Directory, 0777);
# Get the names of servers.
open(SERVERS, "serverlist.txt");
chomp(@Servers=<SERVERS>);
close(SERVERS);
# Connect to each server and backup the logs.
foreach $Server (@Servers) {
  $EventLog=Win32::EventLog->new("Security", "\\\\$Server") or
Error_Log("Unable to connect to the Security Log on \\\\$Server: $^E.\n");
  $FileName="$Server-$Date.evt";
  $EventLog->Clear("c:\\$FileName") or Error_Log("Unable to backup the
Security EventLog on \\\\$Server: $^E.\n");
  $EventLog->Close;
  $Source="\\\\$Server\\c\$\\$FileName";
  $Destination="$Directory\\$FileName";
  MoveFile($Source, $Destination) or Error_Log("Unable to move $Source to
$Destination: $^E.\n");
}
# Write error messages to a file.
sub Error_Log {
  ($Msg)=@_;  
  open(LOG, ">>g:\\seclogs\\errors.txt");
  $Time=join("-", ((split(/\s+/, scalar(localtime)))[3]));
  print LOG ("$Date $Time $Msg");
  close(LOG);
}
-----Original Message-----
From: Stephen Gay [mailto:sgay@ellijay.com]
Sent: 18 June 2003 18:32
To: security-basics@securityfocus.com
Subject: Central Win2000 auditing logs
Hello,
Does anyone have any experience with centrally locating Windows2000 log
files, for disaster recovery sake?
What I have in mind is a dedicated server with a large storage array, that
holds the log files for all of the servers in a company. I know that
Windows2000 doesn't have this capacity built in, but I've heard that 3rd
party vendors offer products that do this.
More importantly, has anyone ever done this with a Perl script or reliable
freeware?
Thanks for any help or advice,
Stephen Gay
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
**********************************************
Important Information
This e-mail constitutes a confidential communication and is
subject to legal privilege.  If you have received this e-mail
in error, please notify us immediately. You should not use
or copy it for any purpose, nor disclose it to any other
person.
**********************************************
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
  • Next message: Robinson, Sonja: "RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?"

    Relevant Pages

    • RE: ASP Pages
      ... in addition to that you could enforce a high-bit password for FTP and ... perhaps remove your Plain Text FTP server and ... >> The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: ASP Pages
      ... Then register the dll into your server registry. ... >> another user's ASP file's contents, or another ASP, or PHP or CGI, etc. ... >> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: ASP Pages
      ... security based around it being so. ... this is the core of server side scripting. ... >> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: ASP Pages
      ... Then register the dll into your server registry. ... Subject: ASP Pages ... >> analysts! ... >> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: New trojan turns home PCs into porno Web site hosts
      ... > home computers under his control. ... it is only these other machines running the DNS services that can't ... >> The Gartner Group just put Neoteris in the top of its Magic ... > about an hour, with no client, server changes, or ongoing maintenance. ...
      (Security-Basics)
    • Quantcast