Dumping directly to the network via NetBIOS is not workable, because the
event logger initializes and start writing events before the network drivers
are initialized.
A better method is to get a commercial utility that is designed for the
purpose (we use "Event Log Manager" by a UK company that is now owned by ISS
(who I believe have just updated the software). It will pull and clear logs
and maintain them in a central database and offer solutions for long term
archiving and trend analysis. You can also integrate it with their IDS
products too I believe.
Probably easier and more cost effective in the long run that throwing
together something out of batch files.

-----Original Message-----
From: Hogg, Michael WARCOM GS-12 [mailto:HoggMnavsoc.navy.mil]
Sent: Wednesday, June 27, 2001 7:24 PM
To: tschubertjorycapital.com; focus-mssecurityfocus.com
Subject: RE: remote logging in NT4

There are a couple of freeware programs that you can use to accomplish this,
in a way. NTOlog.exe and DUMPEVT, along with some creative batch file
programming/scripting. NTOlog will "dump" the log to a .EVT file and clear
the log, but you cannot combine successive dumps into one .EVT file. I use
some creative batch file programming/scripting to name the files with time,
date, server name and log type. Task scheduler is then used to dump the logs
at specified intervals. These files are then combined into a single ZIP
file, per server, for archiving. All of the above is done automatically. You
can use Task Sched. to copy the files to any location desired.
Being lazy, I don't like opening and closing that many files when I review
the logs, so just before NTOlog dumps and clears, I use DUMPEVT (you could
use DUMPEL from the resource kit, I think) to dump all of the APP/SEC/SYS
logs into separate APP/SEC/SYS CSV files. The advantage here is that all APP
dumps from all servers end up in one CSV file. I end up with 3 files at the
end of the day, APP.CSV, SEC.CSV and SYS.CSV.
I then open these with EXCEL. It's not as pretty as looking with EVENTVWR,
but I can sort the data to get to what I want to see very quickly. Takes a
bit of getting used to, but really saves time.
Probably not what you wanted to hear, but it's my solution to the problem of
managing and reviewing large amounts of data from multiple servers, without
spending a bundle. I'm open to other solutions.

-----Original Message-----
From: Todd Schubert [mailto:tschubertjorycapital.com]
Sent: Tuesday, June 26, 2001 2:00 PM
To: focus-mssecurityfocus.com
Subject: RE: remote logging in NT4

On a similar topic...

Is there any way to have the event logging automatically save the log and
create a new one when it is full instead of just overwriting or stopping the
log? Ideally I would like it to email the logs when they fill up or on a
set schedule.

**********************************************************************
Todd Schubert
Information Technology Specialist
Jory Capital Inc.
phone: 204.925.5215
fax: 204.942.0047
email: tschubertjorycapital.com
**********************************************************************

-----Original Message-----
From: th3rm05hushmail.com [mailto:th3rm05hushmail.com]
Sent: Tuesday, June 26, 2001 8:29 AM
To: focus-mssecurityfocus.com
Subject: remote logging in NT4

I am trying to set up remote EVENT logging on some NT4 (SP6a if it matters)
servers. We would like to have a centralized "log server" (which would
also potentially double as our IDS) so that our logs can be kept remotely.
 This will make it more difficult to modify them in the event of a hacker
being set loose on our system. I tried modifying the
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<System
| Application | Security> keys to be \\LOGHOSTNAME\LOGHOSTDRIVE$\LOGHOSTDIR,
 but all this did was prevent the event logger from loading.

I'm thinking 1 of 2 things: either a workaround this in the registry, or
perhaps having the SYSTEM (as opposed to the user at login) map the network
drive as L:\ or something similar, and changing the aforementioned key to
L:\LOGHOSTDIR. Problem is, I have no idea how to do either one.

Does anyone have any experience (or even any off-the-cuff ideas) with this
sort of thing? Any comments/suggestions would be more than welcome!

th3rm05
Free, encrypted, secure Web-based email at www.hushmail.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]