Win Logcheck Ported to Windows by JP Vossen

Win. Logcheck Ported to Windows by JP Vossen PANTUG 9/12/2001 Minor (URL) updates 5/17/2007

What is Logcheck? A UNIX tool written by Craig H. Rowland crowland@psionic. com (http: //www. psionic. com/abacus/log check --> http: //sourceforge. net/projects/sent rytools/) n Uses standard UNIX tools to search UNIX log files for “interesting” events n

What is Win. Logcheck? A port of the UNIX logcheck tool to Windows (NT/2000/XP? ) by Me n Uses a batch file “wrapper” and native Win 32 ports of various standard UNIX tools, and other utilities n cat, date, egrep, rm, sed, sh n Dump. Evt, blat, auditpol n

How Does It Work? n Wrapper. cmd Sets some environment variables n Uses Dump. Evt to dump the Event Logs into text (it picks up where it left off last time) n Runs sh (the UNIX Bourne Shell) to run logcheck. sh n

How Does it Work? n Logcheck. sh n n Read and sets some environment variables “Greps” logcheck. hacking for blatant hacking attempts Greps logcheck. violations and reverse greps logcheck. violations. ignore for security violations Reverse greps logcheck. ignore and reports everything else not in the ignore file

What Happens When it Runs? n Install (Setup. bat) n n Run the First Time n n n Configuration, install and enable logging Processes your entire Event Logs! You’ll get a gigantic message! Run After That n n Periodically (once per hour, twice per day, etc. ) Much smaller and more useful messages

Keyword Files n logcheck. hacking n n logcheck. violations n n n LOGIN FAILURE The Event log service was started. logcheck. violations. ignore n n login. *: . *LOGIN FAILURE. * FROM. *root stat=Deferred logcheck. ignore n n sendmail. *User Unknown WINS HAS INITIALIZED PROPERLY AND IS NOW FULLY OPERATIONAL

Other Issues n It is useful or effective? n n Is it scalable? n n Surprisingly, given the simple approach, it actually works very well! That depends on your logging, the number of machines, and the keyword file tuning See the documentation n Readmes and FAQs

What Else Needs to be Done? n n I need PANTUG’s help with tuning the keyword files!! I need to run these scripts in production environments to make sure everything works well (beta test) n n It should not interfere with the machine – Blat adds a registry key and sends e-mail, Dump. Evt interacts with Event Logs – no other OS/System interaction Add a “noemail” option?

Where can I get Win. Logcheck? n Win. Log. Check n n http: //www. jpsdomain. org/windows/wi nlogcheck. html Upstream Source n http: //www. psionic. com/abacus/logche ck