Sun, 13 Oct 2013
Here is a script to parse your windows event logs.
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so
tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse
I use remark to filter out the cruft like so:
tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse
where the winevtlog file has entries for things I don't care about like:
#windows event descriptions to ignore: /Successful Network Logon/ skip /Service Ticket Request/ skip /User Logoff/ skip /Authentication Ticket Request/ skip /Logon attempt by/ skip /Privileged object operation/ skip /Special privileges assigned to new logon/ skip /Service Ticket Renewed/ skip /Object Operation/ skip /Computer Account Changed/ skip /Set ACLs of members in administrators groups/skip /Logon Failure.*An error occurred during logon/skip /The master browser has received a server announcement/skipHope it's of use to ya.
Posted at: Sun, 13 Oct 2013 | category: /itsec