[Chicago-talk] Windows event Logs

Eric Ellington e.ellington at gmail.com
Fri Feb 8 13:19:15 PST 2008 

Using ActiveState I have used Win32::EventLog. It works. It will
gather info from local and remote machines.

Copied from their website:

 use Win32::EventLog;

 $handle=Win32::EventLog->new("System", $ENV{ComputerName})
        or die "Can't open Application EventLog\n";
 $handle->GetNumber($recs)
        or die "Can't get number of EventLog records\n";
 $handle->GetOldest($base)
        or die "Can't get number of oldest EventLog record\n";

 while ($x < $recs) {
        $handle->Read(EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ,
                                  $base+$x,
                                  $hashRef)
                or die "Can't read EventLog entry #$x\n";
        if ($hashRef->{Source} eq "EventLog") {
                Win32::EventLog::GetMessageText($hashRef);
                print "Entry $x: $hashRef->{Message}\n";
        }
        $x++;
 }

Just swap $ENV{ComputerName} with a remote computer name and it will
grab the info. Provided whatever user is running the scripts has
permission to grab log files remotely.

Also, 540 can look like a weird event. A 540 is generated when a user
logs on a machine, but also when a user access anything over the
network. So if the user views a network drive you will get a new 540.
Also if the user starts editing files in the network directory you
will get a ton of 540 events. So every time word auto saves to a
network drive you can expect a new 540.

Eric

On Feb 8, 2008 2:48 PM, Young, Darren <Darren.Young at chicagogsb.edu> wrote:
> Anyone here messed with gathering Windows event log data? From what I
> can find I have 2 options for this, native Perl Win32::EventLog or open
> dumpel.exe and read from it.
>
> What I need are event 540's from the security log (successful network
> logon events) for the previous day which will be parsed and stored in a
> SQL table. Each AD DC stores 2 days worth of logs (10 DC's globally)
> with several hundred thousand of these events on each DC each day.
>
> Dumpel.exe takes a switch of "days" to dump for where I don't see any
> such option for Win32::EventLog, but then, I've never actually used it.
>
> I'm wondering if anyone here has done this and might have some
> suggestions. Perl 5.8 on Windows 2003.
>
>
> Darren Young
> Systems & Security Architect
> Computing Services
> Chicago GSB
> 5807 South Woodlawn Avenue
> Chicago, IL 60637
>
> Voice 773.702.0331 | Fax 773.702.0233
>
>
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk
>



-- 
Eric Ellington
e.ellington at gmail.com

More information about the Chicago-talk mailing list