Jeff's Blog  Home

Wed, 16 Apr 2008

winevtsysparse .:.permalink.:.

Here is a script to parse your windows event logs.
Caveats;
they come to you through syslog (evtsys from purdue or be prepared to alter the positions of the date/servername/syslog severity and entry)
you're using unix and can tail the syslog files piping them through this script like so

 tail -q -f /mnt/syslog/domaincontrollerlog.txt | winevtsysparse

I use remark to filter out the cruft like so:

 tail -q -f /mnt/syslog/domaincontrollerlog.txt| remark /usr/share/regex-markup/winevtlog | winevtsysparse

where the winevtlog file has entries for things I don't care about like:

#windows event descriptions to ignore: 
/Successful Network Logon/ skip
/Service Ticket Request/ skip
/User Logoff/ skip 
/Authentication Ticket Request/ skip
/Logon attempt by/ skip
/Privileged object operation/ skip 
/Special privileges assigned to new logon/ skip 
/Service Ticket Renewed/ skip 
/Object Operation/ skip
/Computer Account Changed/ skip
/Set ACLs of members in administrators groups/skip
/Logon Failure.*An error occurred during logon/skip
/The master browser has received a server announcement/skip 

Hope it's of use to ya.

Posted at: Wed, 16 Apr 2008 | category: /itsec