Fun with dumpevt and MS Log Parser

I have been having fun learning how to combine Dumpevt from Somarsoft and MS Log Parser. Let me say once you start to get the hang of it you can do some cool things. Also MS makes a great PDF for Security Event information. You can modify the below to make your own reports for those various IDs.
For example the below makes a CSV (comma seperated file) showing all user accounts who had EventID 644 lockouts the previous day. Download dumpevt, MS Log parser the header file I made all into a folder together. Then put the below commands into a bat file in the same folder. Remove my comments that are in bold.

  • First we call dumpevt for three domain controllers. Obviously this bat file has to be executed as a user whom has rights to pull the logs remotely. Dumpevt will actually concatenate the dumps into one file.

del c:\logs\644.csv
del c:\logs\errors.txt
dumpevt /computer=PDC /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC01 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt
dumpevt /computer=BDC02 /logfile=sec /outdir=c:\logs\ /outfile=644.csv /all >> c:\logs\errors.txt

  • Second we create a temp.csv file concatenating the header I provided with the output of the dumpevt calls.

type dumpevt-header.csv > temp.csv
type 644.csv >> temp.csv

  • Next we call Log Parser. We tell it the input is in CSV format and the first row is the header. We specify what format we want the timestamps in for output. Next we select all fields, parse out the user account name where eventID is 644 and the date is the previous day. We go from temp.csv into a new file temp2.csv and have the output in date-time order.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT *, SUBSTR(EXTRACT_TOKEN(Strings, 1,’^’), 23) AS Account INTO temp2.csv FROM temp.csv WHERE EventID = 644 AND Date = TO_DATE(SUB( SYSTEM_TIMESTAMP(), TIMESTAMP(‘2’, ‘d’))) ORDER BY DATE, Time

  • Last we run the temp2.csv through Log Parser once more. This will generate a csv file called 644report.csv with the columns Date, Time, Computer and the Account that was locked out. Note it drops all entries where the user account name is blank. This happens with some 644 events. I am not sure yet why but I am still teaching myself all about this log parsing and interpretation.

LogParser -i:CSV -headerRow on -iTSFormat:”yyyy-MM-dd” “SELECT DATE, TIME, Computer, Account INTO 644report.csv FROM temp2.csv WHERE STRLEN(Account) >1”


eTrust ITM

I have to say once you have the settings all tweaked out eTrust ITM works really well. It has cleaned a good bit of spyware off many high risk pcs such as customer service folks. The main things to watch are setting up multiple internal signature distribution servers, understanding how policy objects override at each branch then finally how the reporting frequency works. Also you need to understand that the poling for clients. The scan type discovery only works for v7.1 and r8 clients. If you are not seeing your older v7 and v6 clients make sured you are using a specified election for subnets remote to the admin server.

When installing the client with the remote install tool I also found you can cheat, do a silent install with no reboot forced. Just start the services on the PC and away you go.


CA Plans for Support Improvement

Well after my lovely experience with CA support I actually got an email at work from the VP of Tech Support at CA. We had a really good conversation. He completely agreed that my experience should have been better than that. I did explain once I get a tech at CA I get my issue answered and more. It is just getting to one that is the problem. The new eTrust is working great (once installed on win2k3). I did have one followup experience with tech support since then. There was a minor question I had about the stat generation and event notification under the new version. I spent 35 mins on hold. Then I finally got a ring, then a beep then dead air. I sat there for a full minute and no one came on the line. I took the VP up on his offer to let him know of any future support experience. So I dropped him an email. I did explain it was not an emergency issue but I felt he could use data on the hold times etc in his efforts to gain more resources to improve support. He had a tech call me back shortly after the email. The tech was very helpful and answered all my questions.

The Support VP told me they were working full steam on replacing that horror of a web site.  Maybe even opening it back up to the public.  After all I know I and other friends browse support forums  prior to making purchasing decisions.  Every product has its issues.  But knowing what they are and how freely options are can still justify going forward with a product.


Computer Associates – What not to do for support.

I have been using CA products for nearly 10 years. I remember when what is now eTrust and Brightstor were Inoculan and Arcserve. They came in brown boxes back then. I probably know more than the second tier support if not some of the third. Yet when I updated to r8 eTrust ITM (Integrated Threat Management) I found ITM hates windows NT 4.0. Yeah I know that is an old platform but I was not ready to move my admin console to a new box and just wanted to upgrade in place to keep all my settings. Of course after the first round of udpates ITM eats itself on NT. So I call CA for support. After all I pay for maintenance. I sat on hold for thirty minutes. The message does nothing to tell you how much longer you have to wait. So being busy I hung up and called back. I asked for a call back position on the list. Two and a half hours later… Nothing. NADA. I call back and am told they are picking up from the queue quickly. OK then why the heck was I not called back?!? So I go into the queue again. Five minutes and I get a person. He puts me on hold to look up my information even though I provided my site ID. Fifteen minutes later I am hearing some odd ring back tone. Five minutes of that and I hang up. I call back to the support number and insist on a call back. Any guesses when I got it? That is right 24 hours later. After four reloads with the last one being as just a signature distribution server so all my clients remain protected. That finally worked. Of course it lost all my settings. Though easy enough to redo it is still frustrating. Why could they not provide a export settings feature? When they finally called back the lady was nice enough but I told her straight up too late. I solved it myself by moving to a 2003 server box.

Don’t even get me started on how bad their support web site sucks. Takes 20 minutes to find anything. I even remember when they changed it to the atrocity it is now. You cannot find documents in the knowledge base I know were there before.

Good products do not mean great support and in the end can motivate someone to change the platform for an entire enterprise. CA would do well to remember even IT guys want decent support like any user.


Xbox and Sony LCD HD TV

Oh my lordy. I finally got a Sony 32″ HD LCD TV today over at Sams. My old 27″ TV tuner went out and we had about 6 working channels. So for fun I am trying out my xbox 360 as a DVD player hooked up via the HD cable. What a difference the picture has in HD. I had long ago bought a Xbox Media Center Universal Remote to use with my 360 once I get it running as an extender to my HP z545 Media Center. Unfortunately the same thing that knocked out my tv blasted the power supply in my z545. The replacement should be here tomorrow. But in the mean time if you need the tv codes to program your xbox remote they can be found here.


Laptop as Forensic Workstation

Well finally had to reload my Thinkpad R40 from scratch.  WindowsXP lost its mind.  For those whom are curious here is a list of what I loaded back onto it once I was done with the Lenovo and Windows updates.

Loaded on my freshly redone forensics laptop


WPA-PSK w TKIP on Cisco

Well crap. Been wanting to know how to do this for MONTHS. Never could find a CLEAR config on Here are the base commands if you do not need to support vlans on the wireless. If you want to know more so you can use vlans on the wireless see the original tutorial that showed me the light over at Techrepublic. Thanks to a fellow George, George Ou.

interface Dot11Radio0
no ip address
encryption mode ciphers tkip
ssid YourSSID
authentication open
authentication key-management wpa
wpa-psk ascii 0 yourkeyhere