fertigj
asked on
EventCombMT and Logparser
Hello..
I am working on gathering failed login attemps from our dcs {2003}. The end goal would be to
- Gather failed authentication attempts from logs
- Generate a few top 10 list {of sorts}
-Failed authentication attempts from user
-Failed authentication attempts from host
-More reports later
- email results
Purchasing a product {MOM/etc} really isn't an option right now so I am looking for something a bit more cost effective {read free :) } I am leaning toward using EventCombMT & LogParser in some form. Gathering the logs with EventCombMT & emailing results is simple enough....but my experience with Logparser is a bit thin. Does anyone have any good examples of how to parse these type of logs and generate a useful report? I am open to other solutions....but I would rather it not be a try before you buy solution. Thoughts?
I am working on gathering failed login attemps from our dcs {2003}. The end goal would be to
- Gather failed authentication attempts from logs
- Generate a few top 10 list {of sorts}
-Failed authentication attempts from user
-Failed authentication attempts from host
-More reports later
- email results
Purchasing a product {MOM/etc} really isn't an option right now so I am looking for something a bit more cost effective {read free :) } I am leaning toward using EventCombMT & LogParser in some form. Gathering the logs with EventCombMT & emailing results is simple enough....but my experience with Logparser is a bit thin. Does anyone have any good examples of how to parse these type of logs and generate a useful report? I am open to other solutions....but I would rather it not be a try before you buy solution. Thoughts?
You could use vbscript or powershell to export the security logs in a filtered or unfiltered manner to a database - either SQL or MySql.
This could be queried using Query Analyser, SQL Reporting Services, or a number of other querying utilities.
I use a combination of MOM 2005 and HP Systems Insight Manager to monitor my estate (1500+ servers and 12000+ users) which is pretty good but out of the basket, MOM 2005 does not have any security monitoring. This requires the rules to be created for each event you want monitored which is fine but for us, we are required to keep all security logs for x years and we don't want to have to create a rule for every single security alert. We are using the above method which works great...
If you have Windows 2008, you can set all your event logs to report to a central location i.e. SQL...
HTH
This could be queried using Query Analyser, SQL Reporting Services, or a number of other querying utilities.
I use a combination of MOM 2005 and HP Systems Insight Manager to monitor my estate (1500+ servers and 12000+ users) which is pretty good but out of the basket, MOM 2005 does not have any security monitoring. This requires the rules to be created for each event you want monitored which is fine but for us, we are required to keep all security logs for x years and we don't want to have to create a rule for every single security alert. We are using the above method which works great...
If you have Windows 2008, you can set all your event logs to report to a central location i.e. SQL...
HTH
ASKER
More specifically... does anyone have any examples of log parser for the following entries. IE assuming the following entries are in a txt file... how could I go through and generate a report of sorts that calculates login attemps from a specific host / user
TestLogFile.txt
TestLogFile.txt
ASKER
Just tabulating the result for a given query would be very helpful
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After a bit of reading I am still looking for a few pieces...but this is a good start. I will post with my final results. Thanks :)
http://www.gfi.com/eventsm
and it does a great job for us