Posts Tagged ‘log’

Search an offline Windows event/application log quickly

October 22, 2014 Leave a comment
get-winevent -FilterHashTable @{path="pathto:\dc4secevent.evtx";logname='Security';ID=628}

Smelling the need for a Windows Event log monitor

July 9, 2014 Leave a comment

Rolling Performance Monitor (perfmon) log files in Windows

March 7, 2014 Leave a comment

I wanted to monitor all processes’ read and write bytes/sec for a half hour within a given time span nightly, but I didn’t want to fill the disk up with old and useless log files.

It took me more than five seconds of searching to figure out how to “roll perfmon logs” or “delete old perfmon logs automatically.”

The way to do this is to utilize a Data Manager to manage your data collector set data.

Configuring a Data Manager to rotate perfmon log files:

1) Configure a data collector set, setting up the actions and tasks via perfmon.msc.

2) In the perfmon.msc tree, go to Reports\User Defined and you will see your Data Collector set there: right-click> properties.

3) On the Data Manager tab, you can configure various things, but for our purpose of retaining one log file, set Maximum Folders and set this to 1; check “Apply policy before the data collector set starts”, check “Enable data management and report generation”. [refer to the below Manager Data in Windows Performance Monitor article for more info]

4) Go to the Action tab> add> Condition: 1 day; check: delete data files, delete cab file, and delete report.

5) Click OK, OK.

6) I use a quick batch in (local group policy> windows settings> scripts> startup) to start a performance monitor at system boot:

logman start -name “all procs cpu io”

I will be testing this over the weekend, but it should work as it is.


A quick post about logs

December 24, 2013 Leave a comment

Been working on samhain and yule, and started to regain interest in correlation engines and SEIM.

Why don’t we take our logs from over here and put them in ElasticSearch over there?

But, where do I do the analysis? Here or there? Or both? Or what?

Security “log event watchers”:

Correlation engines:


  • nxlog (transmits CSV, JSON, XML, Key-value pairs, GELF, syslog, SQL, anything you can script or write (like a pipeline))
  • rsyslog (transmits Linux journal, named pipe, stdout, SQL (with special handling for MySQL and Oracle), Elasticsearch, many more to come in versions soon)
  • logstash-forwarder/Lumberjack (transmits via the lumberjack protocol to logstash)
  • gelfino (transmits GELF)
  • other sysloggy stuff


Stack 1: Logstash + ( Kibana &&|| Graylog) + elasticsearch:

Stack 2: Lumberjack + ceelog + rsyslog + elasticsearch + kibana:



Stack 3:
logstash and solr:


nxlog available fields for an event from im_mseventlog

November 9, 2012 Leave a comment

Administering Event Log permissions

August 25, 2011 Leave a comment

If you’re like me, you use the Nagios plugin I wrote called check_smb_speed.

This means that you are running an instance of NSClient++ with a user account that’s been created and dedicated to the task of running NSClient++, and its minion, check_smb_speed.

Read more…

Method to really monitor DFS replication

August 24, 2011 Leave a comment

Warning… attaching Process Monitor to your system will greatly slow down performance!


This will help answer the question “how long does it take for a file to replicate over DFS-R?”

1) How much data is written in the folders by SMB on the source server?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • Process Name includes “System”
  • Operation is “WriteFile”

2) How much data is read by dfsr.exe in a single folder on the source server?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • Path excludes “dfsrprivate”
  • Process name includes “dfsr.exe”
  •  Operation is “ReadFile”

[bonus: how effective is RDC?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • path includes “dfsrprivate”
  • Process name includes “dfsr.exe”
  • Operation is “WriteFile”


3) Track changes of DFS on Destination server and find out the time the last update to the file(s) occurs, via parsing log file:

DO NOT TAIL THE DFSR DEBUG LOGS!  It will invalidate rotation.  I learned this the hard way.

What you should do is increase the debug log retention via the method mentioned in KB958893 (default is 100):

wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set maxdebuglogfiles=500 

You can then use 7-zip, etc, to unzip the gzipped debug logs located in c:\windows\debug\*.gz and analyze as follows

cat c:\windows\debug\Dfsr00100.log | grep -E .*Install-rename.*EXT.*
grep -E .*Install-rename.*FILENAME.* -r . > ..\.\log.txt

The output will read similar:

20110824 15:15:59.203 5064 MEET  2426 Meet::InstallRename -> DONE Install-rename
 completed updateName:[FILENAME.EXT] uid:{D32A1438-D8D5-4E3B-8521-05AE2F87EE30}-
v43 gvsn:{D32A1438-D8D5-4E3B-8521-05AE2F87EE30}-v43 connId:{DDDA8CE0-8500-425C-A
9C1-467D74EB64BC} csName:[REPLICATION GROUP NAME] csId:{465C4E61-79EF-4824-B8FF-D62C5A734728}
+       name              [FILENAME.EXT]

Meet::InstallRename -> DONE Install-rename is the log entry for the return of the function that signifies the completion of the file being placed in the live directory (its final location).

%d bloggers like this: