When investigating an intrusion in a Windows system, one of the first places to start is the Windows security log. Security event log is also very useful for analysis when searching for anomalies and possible intrusions.
Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commerical, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!
The tool in question is Microsoft Log parser. Log parser is a command line tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. So, you can use it to analyze most structured text based files and the eventlog and AD on a single computer.
You can query remote computers on the network, as long as the credentials that Log parser is running under can access the data sources on the remote computers.
For Security Log, you need to run Log Parser as administrator
Note that this tool doesn't collect data from multiple computers, it just analyzes data in a single file/single computer repository.
The improved interface
In it's original form, Log Parser is a command line tool, so it is not the most user friendly tool in the world. Also, it has no way of saving/storing your prepared queries so you can invoke them later. But a promising developer named Dimce Kuzmanov created a free frontend to Log parser called Log Parser Lizard.
Log Parser Lizard enables you to store the prepared queries, and organizes them by type of data source on which you wish to do an analysis. It also includes the ability to export results to Excel, autogenerates charts on the result of the executed query, or ability to export the queried subset into the original format from which the analysis was performed.
Analyzing the Security Log with Log Parser Lizard
Using Log Parser Lizard for Security Log analysis is very simple. Choose the Queries button and select the Event Logs category, then create the queries that you need for your analysis. Here are some examples:
- SELECT * FROM SECURITY - simple dump all data from the security log
- SELECT EVENTID, COUNT(*) FROM SECURITY GROUP BY EVENTID - analyze what types of events appear in the security log and in what quantity
- SELECT * FROM SECURITY WHERE EVENTID='517' - find whether the security log was cleared in Win2000/XP/2003
Analyzing the Security Log is always a useful approach to security controls, so you need to include it in your routine operations. And until you buy a SIEM system which will run an automatic and scheduled analysis, you should adopt a simple tool like Log Parser and Log Parser Lizard.
Talkback and comments are most welcome
Tutorial - Mail Header Analysis for Spoof Protection
Reminder Tutorial - Enable Auditing on Windows 7
Windows 7 Full Disk Encryption with Truecrypt