Event-Log Auditing, Part 1

Automate event log dumps

Network security is no longer an afterthought as it once was for many administrators. An increasing number of administrators are finding themselves involved in various security audits and spending large chunks of their shrinking IT budgets on security auditing tools. Administrators must sift through countless event logs just to answer basic questions about their networks' security.

Auditing event logs is a tedious but important task. Unfortunately, many of us aren't accustomed to saving event logs, so we end up with incomplete data that we must try to use to generate meaningful and accurate reports. The solution, at least going forward, is to automate the process of saving event logs and to create a useful and inexpensive way to generate reports from these logs. In this first article of a two-part series about event-log auditing, I step you through a script that dumps the Security logs for specified servers and saves the output as text files for later processing. In the next article, I'll describe a script to process these log dumps to create an audit of logons and logoffs based on usernames and date ranges.

PsLogList
In "Real-World Scripting: Scripting Tools on the Web," July 2001, http://www.winscriptingsolutions.com, InstantDoc ID 21277, Dick Lewis mentions the PsTools set of utilities from http://www.sysinternals.com, and one of these utilities, PsLogList, caught my eye. PsLogList lets you remotely output to a comma-separated value (CSV) format the event logs of a Windows XP, Windows 2000, or Windows NT machine. This output is ideal for scripting because you can use a simple For loop in an NT shell script to parse the CSV format. The basic syntax for using PsLogList to dump an event log into a file is

PsLogList -s <\\computer_name>
  <event_log> <target_file>

For example,

PsLogList -s \\MyPDC
  security pdclog.csv

dumps MyPDC's Security log to pdclog.csv. Note that initially, PsLogList might take a long time to run, especially if the log files are large, but if you run the tool daily, the runtime shouldn't be a problem.

Previous [1] 2 Next

This script has been incredibly useful, but I've recently encountered problems with it on AD domain controllers running Windows 2003, where the script scheduled to run every 24 hours. This isn't a problem with the script itself but I thought other readers might be interested.

Very frequently, under this configuration, the process hangs and the resulting .csv doesn't ever close (or at least, doesn't close before the next scheduled collection starts). The results have been logs over 20 G in size and filled-up hard drives. A look at the Task Manager shows multiple PSLOGLIST processes running, one for each day the script was to have executed. I believe this is a result of the traffic being processed by the domain controllers - they're each logging about a million entries every 24 hours. The script is excellent on Windows 2000 (even domain controllers) and on Windows 2003 member servers. Just beware that a very busy security event log on a domain controller can cause this to hang.

(A good solution here might be to get a few more domain controllers!)

Thanks for an excellent forum.

Prestage October 12, 2004 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.