Event-Log Auditing, Part 1

Automate event log dumps


Network security is no longer an afterthought as it once was for many administrators. An increasing number of administrators are finding themselves involved in various security audits and spending large chunks of their shrinking IT budgets on security auditing tools. Administrators must sift through countless event logs just to answer basic questions about their networks' security.

Auditing event logs is a tedious but important task. Unfortunately, many of us aren't accustomed to saving event logs, so we end up with incomplete data that we must try to use to generate meaningful and accurate reports. The solution, at least going forward, is to automate the process of saving event logs and to create a useful and inexpensive way to generate reports from these logs. In this first article of a two-part series about event-log auditing, I step you through a script that dumps the Security logs for specified servers and saves the output as text files for later processing. In the next article, I'll describe a script to process these log dumps to create an audit of logons and logoffs based on usernames and date ranges.

In "Real-World Scripting: Scripting Tools on the Web," July 2001, http://www.winscriptingsolutions.com, InstantDoc ID 21277, Dick Lewis mentions the PsTools set of utilities from http://www.sysinternals.com, and one of these utilities, PsLogList, caught my eye. PsLogList lets you remotely output to a comma-separated value (CSV) format the event logs of a Windows XP, Windows 2000, or Windows NT machine. This output is ideal for scripting because you can use a simple For loop in an NT shell script to parse the CSV format. The basic syntax for using PsLogList to dump an event log into a file is

PsLogList -s <\\computer_name>
  <event_log> <target_file>

For example,

PsLogList -s \\MyPDC
  security pdclog.csv

dumps MyPDC's Security log to pdclog.csv. Note that initially, PsLogList might take a long time to run, especially if the log files are large, but if you run the tool daily, the runtime shouldn't be a problem.

If you run PsLogList daily, the text files that PsLogList creates will grow large over time, and you'll want to group and compress the log files into fewer and smaller .zip archives. Every scriptwriter needs to have at least one command-line utility to compress and uncompress .zip files. In the script I created for this article, I use Info-ZIP. I chose Info-ZIP over the many commercial compression utilities available because it's an easy-to-use freeware tool. If you want to use Info-ZIP, I suggest you download both the Zip (http://www.info-zip.org/zip.html#win32) and UnZip (http://www.info-zip.org/unzip.html#win32) utilities. If you already have a command-line compression tool or you prefer to use a commercial utility, you can easily substitute a different tool for Info-ZIP in the script, provided that it has command-line parameters to move files into a .zip archive.

Your first task in the ultimate goal of creating a logon/logoff auditing report is to create daily dumps of the Security logs of all your domain controllers (DCs). I created a sample script, LogDump.cmd, which Listing 1 shows, that automates this task. Although the script will run in any Win2K or NT environment, for simplicity, the script assumes that you administer a small NT network with one PDC and one BDC.

To enable the script to accommodate any number of servers, you specify a list of servers in a serverlist variable that the script uses in a For loop to execute PsLogList and Info-ZIP for each of the servers. In our example, LogDump.cmd dumps the logs for the PDC and BDC servers and stores the dumped logs on each server in C:\logs\seclogs. If the output directory doesn't exist, the script uses the MD (Make Directory) command to create it, as the code at callout B in Listing 1 shows.

LogDump.cmd names the log files servername_date.txt, where date is in the format mm_dd_yyyy and groups the log dumps into .zip archives by month so that, for example, all the Security logs dumped in July 2002 are saved in a .zip archive called servername_seclog_07_2002.zip. The code at callout A retrieves the current month, day, and year from the computer on which the script executes and stores this information in a variable that the script uses to create the filename and the archive name.

The date /t command returns the current date in the format Tue 07/02/2002. The script splits this output into three pieces by running the command in a For loop and setting the delimiter to the forward slash (/) character. The result is that %%i has the value Tue 07, %%j has the value 02, and %%k has the value 2002. To generate the necessary filenames, the script recombines these values, with an underscore, and stores them in the filedate and zipdate variables as the values Tue 07_02_2002 and Tue 07_2002, respectively. The command

set filedate=%filedate:~4,10%

eliminates the day and the extra space (Tue ) in filedate. The ~4 takes the value of filedate starting from offset 4 to offset 10 (signified by the ,10 in the command).

The result of the code at callout A is that filedate contains the value 07_02_2002 and zipdate contains the value 07_2002. In Win2K, you get the same output by replacing the 'date /t' command with echo %date%. After generating the required filenames, LogDump.cmd uses the PsLogList command to perform a dump of the Security log. You should schedule the script to run every day to ensure a consistent set of Security log dumps. LogDump.cmd outputs the event log in CSV format, then clears the log so that the script doesn't dump duplicate data sets on subsequent script runs. The PsLogList command uses the -s switch to change the output to CSV format and the -c switch to clear the event log after the log has been dumped. The code at callout C dumps the Security log of the specified server, then clears the log. The PsLogList output contains some header information that isn't useful for the auditing script I describe in the next article. The code at callout C filters out this information by passing the PsLogList output through the Find command to output only lines containing a comma. The script then saves the desired output to C:\logs\seclog\<servername>_%filedate%.txt on the server.

As I mentioned earlier, storing these log dumps in their default text format on the server is less than ideal, especially in environments that generate many security events in a 24-hour period. So the script's final task is to compress all log dumps generated in the same month and year into a .zip archive, as the code at callout D shows. The -j switch tells Info-ZIP not to record the directory name when adding the text files to the .zip archive; the -m switch moves the files to the .zip archive. The code also adds .txt to the filenames of any generated text files that might be in the directory. The script zips up all the text files in a .zip archive, so this step ensures that after LogDump.cmd executes, the only contents of the seclog directory are the .zip files for each month that you execute the script.

If your company is moving away from using shared drives (e.g., C$), you might want to create a separate and secure hidden share on the server to store the log dump files. Simply replace C$ in the script with whatever share name you create. Also, storing the log files in a central server location allows for easier review of the logs and better security management.

Putting It All Together
Auditing event logs is a tedious but necessary part of your network security strategy. The LogDump.cmd script automates the process of gathering the log data that you'll need to generate meaningful security reports. In the second article of this two-part series, I'll show you a script that processes the log dumps you've generated to create an audit of network logons and logoffs sorted by usernames and date ranges.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.