What:
Log Parser Lizard installed on Windows machine
Problem:
NetApp cifs auditing is producing a large amount of data stored in evt files, which should be analysed.
Solution:
Log Parser Lizard is a front end to Microsoft's Log Parser utility, which allows to write SQL queries against text files.
With Log Parser you can analyze IIS log files, XML or CVS files, Windows Event Log files and many more.
I am focusing on evt files saved by NetApp filer. I will present few examples of how to extract some useful data from there.
I keep all my evt files in F:\Auditing_Logs\
Most accessed files
====================================================
SELECT Extract_Token(Extract_Token(Message,4,':'),0,'Handle') AS [Folder], count(Folder) AS Hits FROM 'F:\Auditing_Logs\*.evt'Most active users
WHERE EventID IN(560)
GROUP BY Folder
ORDER BY Hits desc
====================================================
SELECT RESOLVE_SID(SID) as Username, COUNT(*) as hits FROM 'F:\Auditing_Logs\*.evt' GROUP BY username order by hits descTop 10 most active users
====================================================
SELECT TOP 10 RESOLVE_SID(SID) as Username, COUNT(*) as hits FROM 'F:\Auditing_Logs\*.evt' GROUP BY username order by hits desc
Number of operations (read, write, delete) by selected user
====================================================
SELECTFolders and files accessed by selected user
Extract_Token(Extract_Token(Message,14,':'),1,' ') AS [Operation],
Count(Operation) AS Hits
FROM 'F:\Auditing_Logs\*.evt'
WHERE EventID IN(560) AND resolve_sid(SID) in('DOMAIN\<username>')
GROUP by Operation
Order by Hits desc
====================================================
SELECTFiles modified by selected user
resolve_sid(SID) AS Username,
TimeGenerated,
Extract_Token(Extract_Token(Message,14,':'),1,' ') AS [Operation],
Extract_Token(Extract_Token(Message,4,':'),0,'Handle') AS [Folder or Filename]
FROM 'F:\Auditing_Logs\*.evt'
WHERE EventID IN(560) AND Operation IN('ReadData') AND resolve_sid(SID) IN ('DOMAIN\<username>')
Order by TimeGenerated desc
====================================================
SELECT
resolve_sid(SID) AS Username,
TimeGenerated,
Extract_Token(Extract_Token(Message,14,':'),1,' ') AS [Operation],
Extract_Token(Extract_Token(Message,4,':'),0,'Handle') AS [Folder or Filename]
FROM 'F:\Auditing_Logs\*.evt'
WHERE EventID IN(560) AND Operation IN('WriteData') AND resolve_sid(SID) IN ('DOMAIN\<username>')
Order by TimeGenerated desc
No comments:
Post a Comment