1 / 10

WinLogcheck

WinLogcheck is a ported version of the UNIX logcheck tool for Windows (NT/2000/XP). It uses standard UNIX tools to search log files for interesting events, making log monitoring efficient and effective. Get it now!

stilwell
Download Presentation

WinLogcheck

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WinLogcheck Ported to Windows by JP Vossen PANTUG 9/12/2001 Minor (URL) updates 5/17/2007

  2. What is Logcheck? • A UNIX tool written by Craig H. Rowland crowland@psionic.com (http://www.psionic.com/abacus/logcheck --> http://sourceforge.net/projects/sentrytools/) • Uses standard UNIX tools to search UNIX log files for “interesting” events

  3. What is WinLogcheck? • A port of the UNIX logcheck tool to Windows (NT/2000/XP?) by Me • Uses a batch file “wrapper” and native Win32 ports of various standard UNIX tools, and other utilities • cat, date, egrep, rm, sed, sh • DumpEvt, blat, auditpol

  4. How Does It Work? • Wrapper.cmd • Sets some environment variables • Uses DumpEvt to dump the Event Logs into text (it picks up where it left off last time) • Runs sh (the UNIX Bourne Shell) to run logcheck.sh

  5. How Does it Work? • Logcheck.sh • Read and sets some environment variables • “Greps” logcheck.hacking for blatant hacking attempts • Greps logcheck.violations and reverse greps logcheck.violations.ignore for for security violations • Reverse greps logcheck.ignore and reports everything else not in the ignore file

  6. What Happens When it Runs? • Install (Setup.bat) • Configuration, install and enable logging • Run the First Time • Processes your entire Event Logs! • You’ll get a gigantic message! • Run After That • Periodically (once per hour, twice per day, etc.) • Much smaller and more useful messages

  7. Keyword Files • logcheck.hacking • login.*: .*LOGIN FAILURE.* FROM .*root • logcheck.violations • LOGIN FAILURE • The Event log service was started. • logcheck.violations.ignore • stat=Deferred • logcheck.ignore • sendmail.*User Unknown • WINS HAS INITIALIZED PROPERLY AND IS NOW FULLY OPERATIONAL

  8. Other Issues • It is useful or effective? • Surprisingly, given the simple approach, it actually works very well! • Is it scalable? • That depends on your logging, the number of machines, and the keyword file tuning • See the documentation • Readmes and FAQs

  9. What Else Needs to be Done? • I need PANTUG’s help with tuning the keyword files!! • I need to run these scripts in production environments to make sure everything works well (beta test) • It should not interfere with the machine – Blat adds a registry key and sends e-mail, DumpEvt interacts with Event Logs – no other OS/System interaction • Add a “noemail” option?

  10. Where can I get WinLogcheck? • WinLogCheck • http://www.jpsdomain.org/windows/winlogcheck.html • Upstream Source • http://www.psionic.com/abacus/logcheck

More Related