"Barry Brevik" <bbre...@stellarmicro.com> wrote on 06/04/2012 06:34:07 PM: > Thank you for the detailed response, even if it is depressing.
Don't think of it as depressing, think of it as an opportunity. Gathering all your logs could provide more insight into your environment. Attached is a toy I wrote. The idea is to have a central point (in this case, my laptop) with a little mysql node on it. I then create a table, +------------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +------------------+------------------+------+-----+---------+----------------+ | logID | int(10) unsigned | NO | PRI | NULL | auto_increment | | Category | int(10) unsigned | YES | | NULL | | | CategoryString | tinytext | YES | | NULL | | | ComputerName | tinytext | YES | | NULL | | | Data | text | YES | | NULL | | | EventCode | int(10) unsigned | YES | | NULL | | | EventIdentifier | int(10) unsigned | YES | | NULL | | | EventType | int(11) | YES | | NULL | | | InsertionStrings | text | YES | | NULL | | | LogFile | tinytext | YES | | NULL | | | Message | text | YES | | NULL | | | RecordNumber | int(10) unsigned | YES | | NULL | | | SourceName | tinytext | YES | | NULL | | | TimeGenerated | datetime | YES | | NULL | | | TimeWritten | datetime | YES | | NULL | | | Type | tinytext | YES | | NULL | | | User | tinytext | YES | | NULL | | | Host | tinytext | YES | | NULL | | | string | tinytext | YES | | NULL | | +------------------+------------------+------+-----+---------+----------------+ One runs the toy periodically, with $0 -H <fully qualified target name> across all the possible client machines, and build up this DB. IIRC, I had a watchdog program that would maintain a table of all the clients, and then poll this for all the "TimeWritten" and poll the clients based upon the order of the TimeWritten. That way, I could have five or six instances of the toy running, cover all my clients, and still not hang dead on missing machines. Then, at your leisure, you can ask questions like "what machines have event ID 528 or 540 and logon type 2?" These would be the local clients. The more interesting query would be "are there network logins from sources that I don't know about" -- the debian laptop that someone is using a remote login from, for example, that you hadn't expected. Designing that SQL query is left as an exercise.. :-) --woody -- Dr. Robert "Woody" Weaver GBS Cybersecurity & Privacy IT Security Architect Cell: 301-524-8138 -- I have hardly ever known a mathematician who was capable of reasoning. -- Plato
pullFromEventLog.pl
Description: Binary data
_______________________________________________ Perl-Win32-Users mailing list Perl-Win32-Users@listserv.ActiveState.com To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
