Historic blog. No longer active. See Also http://horizontal-logic.blogspot.com for more Powershell code. AS of 2/27/2014 all Scripts are PS 4.0.
Friday, February 3, 2012
Evtsys Part I
Eventlog-to-syslog was a Purdue university project that has been taken up by Sherwin Faria for Google Code and recently updated. The project is Windows 7 compliant and helps solve processing audit policies that produce large number of log entries like the commands:
auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
or the all inclusive:
auditpol /set /category:*
To use evtsys, I install Cygwin with syslog on my local Win 7 host, configure as needed /etc/syslog.conf, and start the syslog daemon ('net start syslogd'). Then I install Event-to-syslog, configure evtsys.cfg, start evtsys (-i to install as service or -d debug mode) and invoke gawk/bash incantations on a messages file to handle queries. These tools give me several advantages over other tool sets ('Get-winevent','psloglist', 'eventviewer') designed to query Windows events logs: fast, elegant, text based storage and filtering. Through the syslog facility, network message passing is possible. The default installation configures as such in the registry where these values can be changed [from Powershell], presumably after restarting the service:
PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys\
Hive: HKLM\Software\ECN\EvtSys
Name Property
---- --------
3.0 Facility : 3
LogHost : 127.0.0.1
LogHost2 :
LogHost3 :
LogHost4 :
Port : 514
StatusInterval : 0
QueryDhcp : 0
LogLevel : 0
IncludeOnly : 0
Tag :
MaxMessageSize : 1024
EnableTcp : 0
PS C:\Windows\system32> set-itemproperty -path HKLM:Software\ECN\EvtSys\3.0\ -name Facility -value 5
PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys
Hive: HKLM\Software\ECN\EvtSys
Name Property
---- --------
3.0 Facility : 5
LogHost : 127.0.0.1
LogHost2 :
....
They can also be configured by the command line installation:
PS C:\Windows\system32> evtsys /?
Version: 4.4 (64-bit)
Usage: C:\Windows\system32\evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]
[-t tag] [-s minutes] [-l level] [-n]
-i Install service
-u Uninstall service
-d Debug: run as console program
-h host Name of log host
-b host Name of secondary log host
-f facility Facility level of syslog message
-l level Minimum level to send to syslog.
0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info
-n Include only those events specified in the config file.
-p port Port number of syslogd
-q bool Query the Dhcp server to obtain the syslog/port to log to
(0/1 = disable/enable)
-t tag Include tag as program field in syslog message.
-s minutes Optional interval between status messages. 0 = Disabled
Default port: 514
Default facility: daemon
Default status interval: 0
Host (-h) required if installing.
Check.c of the 4.0 code shows the conversion table for the facility levels:
/* Facility conversion table */
static struct {
char * name;
int id;
} FacilityTable[] = {
{ "auth", SYSLOG_AUTH },
{ "authpriv", SYSLOG_AUTHPRIV },
{ "cron", SYSLOG_CRON },
{ "daemon", SYSLOG_DAEMON },
{ "ftp", SYSLOG_FTP },
{ "kern", SYSLOG_KERN },
{ "local0", SYSLOG_LOCAL0 },
{ "local1", SYSLOG_LOCAL1 },
{ "local2", SYSLOG_LOCAL2 },
{ "local3", SYSLOG_LOCAL3 },
{ "local4", SYSLOG_LOCAL4 },
{ "local5", SYSLOG_LOCAL5 },
{ "local6", SYSLOG_LOCAL6 },
{ "local7", SYSLOG_LOCAL7 },
{ "lpr", SYSLOG_LPR },
{ "mail", SYSLOG_MAIL },
{ "news", SYSLOG_NEWS },
{ "ntp", SYSLOG_NTP },
{ "security", SYSLOG_SECURITY },
{ "user", SYSLOG_USER },
{ "uucp", SYSLOG_UUCP }
};
You can test them with the debug (console) option. However, the console will not return all messages.
evtsys -d -h RMFVPC -p 514
Checking ignore file...
Feb 3 10:13:26 RMFVPC Eventlog to Syslog Service Started: Version 4.4 (64-bit)
Feb 3 10:13:26 RMFVPC Flags: LogLevel=0, IncludeOnly=False, EnableTcp=False, IncludeTag=False, StatusInterval=0
To see all messages, you can tail /var/log/messages with or without text filtering:
rferrisx@rmfvpc /var/log
$ tail -f messages | gawk '{print $1,$2,$3,$4,$5,$6,$7}'
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
...
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:38 rmfvpc RMFVPC Security-Auditing: 4688:
Searching the Messages file with gawk is fast, most probably faster than with 'get-winevent', 'psloglist', or eventvwr filters:
gawk -F":" '{print $4}' Messages | sort -nr | uniq -c | sort -nr
145530 5156
137132 5447
81992 5158
9393 5154
7397 5152
5754 4688
5475 4689
2988 4957
...
gawk -F":" '$4 == 5156 {print $10,$11,$12,$13,$14,$15}' Messages
Outbound Source Address 192.168.0.11 Source Port 137 Destination Address 192.168.0.255 Destination Port 137 Protocol 17
Inbound Source Address 192.168.0.255 Source Port 137 Destination Address 192.168.0.11 Destination Port 137 Protocol 17
Inbound Source Address 192.168.0.255 Source Port 137 Destination Address 192.168.0.11 Destination Port 137 Protocol 17
Inbound Source Address 192.168.0.255 Source Port 137 Destination Address 192.168.0.11 Destination Port 137 Protocol 17
Inbound Source Address 239.255.255.250 Source Port 1900 Destination Address 192.168.0.1 Destination Port 1900 Protocol 17
Inbound Source Address 239.255.255.250 Source Port 1900 Destination Address 192.168.0.1 Destination Port 1900 Protocol 17
....
gawk -F":" '$4 == 5156 {print $13}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr
69562 192.168.0.1
5992 192.168.0.11
4020 127.0.0.1
3765 6172
3694 192.168.0.5
2950 192.168.0.255
...
gawk -F":" '$4 == 5158 {print $11}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr | more
23
7 514
6 1434
5 49154
5 49153
4 63982
4 60711
4 58924
....
gawk -F":" '$4 == 5447 {print $18,$19}' Messages | sort -nr | uniq -c | sort -nr
29026 Media Center Extenders - WMDRM-ND/RTP/RTCP (UDP-In) Type Not persistent Run-Time ID
10186 File and Printer Sharing (Spooler Service - RPC-EPMAP) Type Not persistent Run-Time ID
10061 Media Center Extenders - RTSP (TCP-In) Type Not persistent Run-Time ID
5889 Boot Time Filter Type Not persistent Run-Time ID
2967 Port Scanning Prevention Filter Type Not persistent Run-Time ID
2201 Microsoft Visual Studio 11 Developer Preview Remote Debugger Discovery (devenv.exe) Type
2111 Query User Type Not persistent Run-Time ID
1714 Network Discovery (SSDP-In) Type Not persistent Run-Time ID
....
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment