Central Log

[Nir B]

Hi All,

I need to collect the security logs from all my Windows server to central
location. I wrote script that use the DUMPEL utility, but on the files I get
I see instead of USER (UserName) SID.
Any idea how to solve this?
Is there any API that can help with this task?
Did anyone know about better way to collect all the logs from windows
servers?

Thanks,

Nir B

 

[Miha Pihler]

Hi Nir,

Microsoft should release a service called ACS (Auditing Collection System)
(previously called MACS -- Microsoft Auditing Collection System (MACS).

This service will allow you to collect information from servers that will
have ACS agent installed. Information can be stored in a central location
(e.g. SQL server) where you can run your own queries against the
information. You will also be able to use WMI to call scripts (e.g. send
e-mail) in case of certain events.

Unfortunately I don't know what it will be release (my wild guess is some
time this year) ...

Mike

 

[Roger Abell]

While waiting for ACS you might want to see is just
using the EventcombMT tool if realtime query capability
from the live logs is what you are after.
http://support.microsoft.com/default.aspx?scid=kb;en-us;824209

With saved logs what you will find, besides issues like the
SID to friendly name translation, is that the data field of the
event msgs is often lost/useless.

 

[Randy Franklin Smith [MVP]]

You could also consider LogParser, another free MSFT tool, which can query
multiple security logs and has an option for translating SIDs.