Results 1 to 3 of 3

Thread: Event Logs the easy way

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785

    Event Logs the easy way

    The is not a tutorial on using dumpel or batch file programming although I attempt some explanation of both. Rather it is to show some a way to make monitoring security a little easier.

    As we all may or may not know going threw each and every single event in the event viewer is a freaken pain in the butt (no fun).

    Microsoft however does have a command line utility in its resource kit that makes it a little easier. It can dump all the events to one file in a number of different formats. Now this isn’t nearly as bad as using event viewer. But it’s still no fun. (slightly less of a pain in the butt)

    Attached is a zip file containing dumpel.exe (ms’s tool) and a batch file that calls all the parameters I normally use. And puts the resulting output into two separate web pages. One with all the messages for the past 24 hours and one that just lists the failures for that time period. On the main page (index.htm) is a link to a CSV file (included in the zip) containing the complete error code list for windows. Clicking this link will open it as an excel spread sheet(if you have excell) or whatever program csv files are registered to on your machine. On the main page is also a link to the page with just the errors.

    The batch file in the zip is made for a stand alone machine. There is an example later in this text that shows how to dump logs from multiple servers

    To run it unpack it to a directory of your choosing and just execute dump.bat:

    echo (M,1,)Application >dump.log
    dumpel -l application -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Security >>dump.log
    dumpel -l security -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)System >>dump.log
    dumpel -l system -c -d 1 >>dump.log
    type head.txt >index.htm
    type dump.log >>index.htm
    type foot.txt >>index.htm
    find "M,1," dump.log >dump2.log
    type head2.txt >errors.htm
    type dump2.log >>errors.htm
    type foot.txt >>errors.htm
    start index.htm


    With the incredible number of worms and viruses on the internet you might want to exclude them from the list

    dumpel -s \\<servername> -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log

    or if you use the bat that’s in the zip for a stand alone computer just change:
    dumpel -l application -c -d 1 >>dump.log
    to
    dumpel -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log

    or a part of every message that is common to each and ever virus warning can go in between “ ” in the find statement rather than using 'Symantec AntiVirus/Filtering'.

    By piping the output “|” to “find /V” only those lines NOT containing the text in the quotation marks will be added to the output file dump.log

    This I’ve included at the top of the batch file to help in making it more specific to you needs

    @echo off
    REM dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]
    REM
    REM -d <days> Filters for event last days (number larger than zero)
    REM -e nn Filters for event id nn (up to 10 may be specified)
    REM -f <filename> Output filename (default stdout)
    REM -l <name> Dumps the specified log (system, application, security)
    REM -b Dumps a backup file (use -l to specify file name)
    REM -m <name> Filters for events logged by name
    REM -r Filters out events logged by name (must use -m too)
    REM -s <servername> Remote to servername
    REM -t Use tab to separate strings (default is space)
    REM -c Use comma to separate fields
    REM -ns Do not output strings
    REM -format <fmt> Specify output format. Default format is
    REM dtTCISucs
    REM where
    REM t - time
    REM d - date
    REM T - event type
    REM C - event category
    REM I - event ID
    REM S - event source
    REM u - user
    REM c - computer
    REM s - strings
    REM
    REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    As is stated above the format for the command is
    dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]

    What im using here

    “dumpel -l application -c -d 1 >>dump.log“

    doesn’t make use of -f to input to a file but rather redirects the output to a file it creates/overwrites using ‘>’ to overwrite and >> to append to it.

    Some people that use dumpel make extensive use of the event ids (-e) but for me it suffices to just view all the errors. This is easy enough to do on a daily basis. If you’d like to change the number of days that dumpel scans for just change the “-d 1” to –d (number of days) so for once a week you’d make it –d 7. As if no one could figure that out, buts it’s never good to assume.

    I run an expanded version of this batch every morning. Repeating the same routine for each server, appending to the logs for each before making the final htm document. It has helped to avert some disasters and optimize the network. I feel my explanation is going to suck so here’s an example of how to do this on multiple servers. Just remember to have event logging turned on J



    REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) DC LOGS >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Application >>dump.log
    dumpel -s \\huntington-dc -l application -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Security >>dump.log
    dumpel -s \\huntington-dc -l security -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)System >>dump.log
    dumpel -s \\huntington-dc -l system -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) DATA LOGS >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Application >>dump.log
    dumpel -s \\data -l application -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Security >>dump.log
    dumpel -s \\data -l security -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)System >>dump.log
    dumpel -s \\data -l system -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) MAIL LOGS >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Security >>dump.log
    dumpel -s \\mail -l security -c -d 1 >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)Application >>dump.log
    dumpel -s \\mail -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,) >>dump.log
    echo (M,1,)System >>dump.log
    dumpel -s \\mail -l system -c -d 1 >>dump.log
    type head.txt >log.htm
    type dump.log >>log.htm
    type foot.txt >>log.htm
    find "M,1," dump.log >dump2.log
    type head2.txt >errors.htm
    type dump2.log >>errors.htm
    type foot.txt >>errors.htm
    start log.htm
    del dump.log

    if you want to change the appearance of the created web page the html for it is contained in the head.txt and foot.txt files.

    note: using “M,1,” was the only line common to all messages therefore a cheap way to include titles and blank lines in the final “find” redirect
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Nice little write up, Hmm... I am just wonderin how I could write this in C.

    I don't really like using Batch files that much, because people can read an alter the files so easily.

    Nice write up.

    Note I am so going to have your pick your brain on Batch Filing. I know how but damn.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ted,

    Good idea how you setup your batch files. I do it very similar to how you've done it.

    A nice little combo of toolz.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •