-
March 30th, 2004, 10:38 PM
#1
Event Logs the easy way
The is not a tutorial on using dumpel or batch file programming although I attempt some explanation of both. Rather it is to show some a way to make monitoring security a little easier.
As we all may or may not know going threw each and every single event in the event viewer is a freaken pain in the butt (no fun).
Microsoft however does have a command line utility in its resource kit that makes it a little easier. It can dump all the events to one file in a number of different formats. Now this isn’t nearly as bad as using event viewer. But it’s still no fun. (slightly less of a pain in the butt)
Attached is a zip file containing dumpel.exe (ms’s tool) and a batch file that calls all the parameters I normally use. And puts the resulting output into two separate web pages. One with all the messages for the past 24 hours and one that just lists the failures for that time period. On the main page (index.htm) is a link to a CSV file (included in the zip) containing the complete error code list for windows. Clicking this link will open it as an excel spread sheet(if you have excell) or whatever program csv files are registered to on your machine. On the main page is also a link to the page with just the errors.
The batch file in the zip is made for a stand alone machine. There is an example later in this text that shows how to dump logs from multiple servers
To run it unpack it to a directory of your choosing and just execute dump.bat:
echo (M,1,)Application >dump.log
dumpel -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -l system -c -d 1 >>dump.log
type head.txt >index.htm
type dump.log >>index.htm
type foot.txt >>index.htm
find "M,1," dump.log >dump2.log
type head2.txt >errors.htm
type dump2.log >>errors.htm
type foot.txt >>errors.htm
start index.htm
With the incredible number of worms and viruses on the internet you might want to exclude them from the list
dumpel -s \\<servername> -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log
or if you use the bat that’s in the zip for a stand alone computer just change:
dumpel -l application -c -d 1 >>dump.log
to
dumpel -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log
or a part of every message that is common to each and ever virus warning can go in between “ ” in the find statement rather than using 'Symantec AntiVirus/Filtering'.
By piping the output “|” to “find /V” only those lines NOT containing the text in the quotation marks will be added to the output file dump.log
This I’ve included at the top of the batch file to help in making it more specific to you needs
@echo off
REM dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]
REM
REM -d <days> Filters for event last days (number larger than zero)
REM -e nn Filters for event id nn (up to 10 may be specified)
REM -f <filename> Output filename (default stdout)
REM -l <name> Dumps the specified log (system, application, security)
REM -b Dumps a backup file (use -l to specify file name)
REM -m <name> Filters for events logged by name
REM -r Filters out events logged by name (must use -m too)
REM -s <servername> Remote to servername
REM -t Use tab to separate strings (default is space)
REM -c Use comma to separate fields
REM -ns Do not output strings
REM -format <fmt> Specify output format. Default format is
REM dtTCISucs
REM where
REM t - time
REM d - date
REM T - event type
REM C - event category
REM I - event ID
REM S - event source
REM u - user
REM c - computer
REM s - strings
REM
REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
As is stated above the format for the command is
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]
What im using here
“dumpel -l application -c -d 1 >>dump.log“
doesn’t make use of -f to input to a file but rather redirects the output to a file it creates/overwrites using ‘>’ to overwrite and >> to append to it.
Some people that use dumpel make extensive use of the event ids (-e) but for me it suffices to just view all the errors. This is easy enough to do on a daily basis. If you’d like to change the number of days that dumpel scans for just change the “-d 1” to –d (number of days) so for once a week you’d make it –d 7. As if no one could figure that out, buts it’s never good to assume.
I run an expanded version of this batch every morning. Repeating the same routine for each server, appending to the logs for each before making the final htm document. It has helped to avert some disasters and optimize the network. I feel my explanation is going to suck so here’s an example of how to do this on multiple servers. Just remember to have event logging turned on J
REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) DC LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\huntington-dc -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\huntington-dc -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\huntington-dc -l system -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) DATA LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\data -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\data -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\data -l system -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) MAIL LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\mail -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\mail -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\mail -l system -c -d 1 >>dump.log
type head.txt >log.htm
type dump.log >>log.htm
type foot.txt >>log.htm
find "M,1," dump.log >dump2.log
type head2.txt >errors.htm
type dump2.log >>errors.htm
type foot.txt >>errors.htm
start log.htm
del dump.log
if you want to change the appearance of the created web page the html for it is contained in the head.txt and foot.txt files.
note: using “M,1,” was the only line common to all messages therefore a cheap way to include titles and blank lines in the final “find” redirect
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
April 2nd, 2004, 03:44 PM
#2
Nice little write up, Hmm... I am just wonderin how I could write this in C.
I don't really like using Batch files that much, because people can read an alter the files so easily.
Nice write up.
Note I am so going to have your pick your brain on Batch Filing. I know how but damn.
-
April 2nd, 2004, 04:27 PM
#3
Ted,
Good idea how you setup your batch files. I do it very similar to how you've done it.
A nice little combo of toolz.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|