Thursday, September 4, 2008

Why Can't A Windows Server 2008 or Vista Log Be Viewed On My XP Machine?

The following was excerpted from our recent Event Alarm product update announcement:

It seems simple enough, doesn't it? At Dorian, we're seeing the question more and more, and we wish we had a better answer. But - regardless of what log management package you choose - if you want to review an EVTX log (that is, a log generated by Windows ® Server 2008 or Windows Vista ™) you're going to have to open it on a Windows Server 2008 or Windows Vista machine.

Why? Because the new Windows Event Log API functions are only available inside Windows Vista and later operating systems, legacy Windows operating systems like XP and 2003 cannot read previously saved EVTX files at all. There is simply no forward compatibility for consuming saved EVTX files. Period.

And while the legacy Event Log API can be used to read some of the events from an "active" EVTX file (that is to say an EVTX file currently being maintained by the EventLog service on a Vista machine), it cannot properly read and parse some events recorded by the new API.

Many remember when vending machines started accepting paper money. Whenever one actually had paper money, it seemed the "legacy" coin-only machines were all that were around. Try as you might, that XP machine isn't going to read that EVTX log. Don't thank us - thank Microsoft.

Our LogRefiner technology helps manage both formats (EVT and EVTX) side-by-side. Even with this snazzy new technology though, if there are any EVTX logs in the mix, plan on installing our software and managing from a Windows Vista or Windows Server 2008 machine.

Meanwhile, got change for a dollar?

Event Alarm Monitors EVT and EVTX Logs, Side-By-Side!

Event Alarm Version 6 was released in late August. This week, we sent out our official version update announcement.

Just like our prior Event Analyst and Event Archiver releases, this version of Event Alarm is completely Microsoft Vista™ and Windows Server ® 2008 compatible, and features our revolutionary LogRefiner™ technology. You can download Version 6 of Event Alarm here.

We've already mentioned in a bunch of posts that trying to read legacy EVT files on Windows Vista and Server 2008 is quite a chore, with missing fields and information being quite common.

Well here's the good news. Thanks to our pioneering LogRefiner™ technology, you can remotely monitor EVT and EVTX files natively and side-by-side when Event Alarm is installed to a Microsoft Vista or Server 2008 computer. No weird conversions or intermediate steps are necessary, and you get all the data parsed correctly from both log formats the first time. For those admins who are attempting to run Windows Vista or Server 2008 on their workstations, this is a big plus because now you can use Event Alarm as your preferred monitoring solution for all of your Microsoft Windows computers, regardless of how many have been migrated forward to Vista/Server 2008 and the new EVTX format.

On top of Event Alarm's remote, agentless log monitoring, when Event Alarm is purchased as part of Dorian Software's Total Event Log Management Solution™, you effectively have a comprehensive platform for archiving, analyzing, and monitoring event log data from EVT and EVTX log files throughout your network, all from a single install point, network topology permitting.

Here's the full launch announcement for Event Alarm Version 6, complete with a comprehensive feature listing.

Monday, August 4, 2008

Why Your HR Department Will Love Windows Vista, Even If Your IT Department Doesn't.

We're back, gentle readers, with a delicious posting about two new Event IDs available in the Microsoft Windows Vista™ Security Log: Event ID 4802 and Event ID 4803.

Event ID 4802 tracks whenever the screensaver is invoked after a group policy-determined idle time.

Event ID 4803 tracks whenever the screensaver is dismissed by the logged-on user.

Using our versatile Event Analyst® reporting utility, it's easy to create a custom report to track the productivity of your staff.

Here's an example of said report, grouped by user and then sorted chronologically.

In this example, MarkW's screensaver kicked in at 3:04:10 PM and then was dismissed at 3:30:00 PM. Later, the screensaver came back on at 3:45 PM. If your company mandates a given idle time before the screensaver is launched on all desktops via Group Policy, it's easy to calculate the total idle time by adding that number to the period in between Event ID 4802 and Event ID 4803.

For maximum reporting capabilities, consider using our Event Archiver® log collection tool to bring your Microsoft Vista workstation security log data into a central database on a routine basis. Then, link Event Analyst up to said database table, build said custom report, and impress your HR department! Both of these tools are Microsoft Vista and Windows Server® 2008 ready, so have at it.

Finally, we do have a current promotion on Event Archiver, Event Analyst, and Fortress Desktop™ workstation licenses when purchased together. For more details, review our Promotions page for more details.

FYI - For those organizations not running Windows Vista yet, you can still obtain information about screen saver run times by using our Fortress Desktop utility, and then create a similar report in Event Analyst.

Wednesday, July 16, 2008

A Big Thank You to Our Clients and Partners

While this isn't "development-related" per se, it is a product of our development efforts, so we wanted to share it with our readership.

Dorian Software Posts Highest Quarterly Sales Revenue Ever

A big thanks again to all our clients and partners for their ongoing support.

Tuesday, July 8, 2008

Mega SIEM/SEM = Mega Headaches

It's been almost a year since we wrote about the perils of mega-SIEM/SEM packages, and now it looks like industry analysts are starting to agree with us.

Take a look at the following Network World article entitled "SIEM tools come up short."

A key quote: "User interfaces were clunky, reports were incomplete, data parsing problems are still around, and when it came to trying to figure out what the heck was going on in our Windows environment, most products left us scratching our heads. (One could argue, however, that this is as much Microsoft's fault as
anyone else's.)"

Ouch! That left a mark.

It's a good thing for those organizations that there is at least one vendor that does Windows log management correctly. :)

We wonder if these mega-SIEM vendors have even gotten a handle on Vista, Server 2008, and the new EVTX log format. Something tells us the answer to that question is "no."

Tuesday, June 17, 2008

Event Analyst ® 7 Can Slice and Dice Your Security Event Logs ... Any Way Your Auditors Want Them Served

After more sweat and tears, the Dorian Software Development Team is happy to announce the release of Event Analyst Version 7. Version 7 comes with a huge overhaul to the custom reporting engine inside Event Analyst, allowing our users to parse the smallest details out of Windows Security Log Events, grouping and sorting them to their (and their auditors!) hearts' content. We call this Event Analyst's PrecisionParser ™ capability, and it's a subcomponent of our greater LogRefiner ™ technology.

Some log management software in the marketplace attempts to tokenize and normalize security log data at the time of collection/import, necessitating 1.) a database platform for analysis, 2.) numerous table schemas to store the different types of tokens for different categories of events (e.g. taxonomies), 3.) revisions of said schemas as event tokens expand over time (often as a result of new operating systems and service packs).

The whole process above is pretty labor intensive, and if you're a forensic auditor or the administrator of a small network, setting up a database for this purpose can be a costly endeavor. You may just want to open an EVT/EVTX file and rip it down every which way to produce some nifty reports. Or import a handful of said files into Access ®, and then rip them down together.

We have opted for a different approach. Our PrecisionParser does the parsing of key Windows Security Log Description subfield data at the time the data is analyzed and reported against. It can work against a bunch of different formats, such as security log data still inside EVT/EVTX files, to comma-delimited text files and database tables produced by Event Archiver, our log collection and centralization software package.

Yes, you heard that EVTX part right. While some vendors still have their heads in the sand regarding EVTX compatibility for Windows Vista ™ and Windows Server ® 2008, Event Analyst can already parse the EVTX logs just as easily as the EVT versions, even if security log data from both operating systems resides together in one database table. This is a good thing, because the number of security events (as well as the tokens in their Description fields) have only expanded within Vista and 2008.

Here are some of the details on PrecisionParser inside Event Analyst:

As any veteran of security event log analysis can tell you, the subvalue name/data pairs in the Description field of Windows Security events are the golden nuggets that must be mined to generate meaningful reports. Existing users of Event Analyst have already enjoyed the capabilities of Event Analyst's prebuilt reports to extract, group, and sort this level of detail in a variety of categories, like logon activity and group management.

Now, Dorian Software has incorporated its exclusive PrecisionParser capability - a component of Dorian Software's exclusive LogRefiner technology - into Event Analyst's custom reporting engine. What does this mean to you? Plenty! Virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside Event Analyst's custom reporting engine. Want to group your 529 logon failures by Source IP Address and Authentication Package? No problem. Need to sort file access events by Handle ID? We've got that covered as well.

The benefits of Dorian's PrecisionParser capability are tremendous, and include:

True Log Format Independence - Parsable security log data formats include native EVT and EVTX files, comma-delimited text files produced by Event Archiver and Event Analyst, and Microsoft Access, SQL, or Oracle database tables produced by Event Archiver and Event Analyst. Dorian's multiple log format support stands in stark contrast to other vendor packages, which depend on multiple database table schemas in attempt to normalize log data at time of collection, rather than normalizing data at time of analysis.

True Operating System and Service Pack Level Independence - PrecisionParser can handle virtually all security log data collected from different Microsoft operating systems - from Windows NT 4.0 to Windows Server 2008. This is important as Microsoft frequently expands reported data in security log events over time, often after service packs are applied. If a custom-defined subfield is not present in a legacy operating system event, the custom reporting engine degrades gracefully, simply indicating that the field was not found.

Correlation Across Related, Yet Different Security Events - Correlation is possible among different security events that share common subfields in their descriptions. For example, many security events log handle identifiers, logon identifiers, and IP addresses. Custom reports paired with advanced filters can now be designed to show a variety of event activity that is in fact related via these fields.

Support For Multiple Occurrences of the Same Subfield - While less common in legacy security events, Windows Vista and Windows Server 2008 now often include the same subfield name twice in the Description field. For instance, Event ID 4724 describes the resetting of user passwords by an administrator. Yet the order of the occurrence of the user in the Description determines whose password was reset, and who actually reset the password. When defining custom fields for reports, Event Analyst allows you to make this subtle distinction by indicating if you would like to parse out the second, third, or nth occurence of that field.

Multiple Report Formats Remain Available For Presentation and Data Mining - As in previous versions, custom reports in Event Analyst will continue to be generated in both HTML and CSV formats. The printer-friendly HTML version of the report is excellent for presentation and review by management, whereas the CSV version of the report allows you to import raw, parsed subfield data from the description field into other software packages, such as Microsoft Excel ®. Frequent users of Microsoft Excel will be amazed at the level of analysis possible when reviewing CSV files with Excel's AutoFilter feature.

Tuesday, May 13, 2008

Importer™ Tool for Event Archiver® Released

One of the more challenging things about log management is trying to collect the vast amount of data that is generated in multi-site networks over limited bandwidth links.

To that end, we have developed a companion tool to our Event Archiver® software - the Importer™ tool for Event Archiver.

Basically, you can instruct all of your various Event Archiver installations to send compressed sets of log data in EVT/EVTX and comma-delimited formats to a computer running the Importer utility. You can use Microsoft Windows file shares or FTP to transport the compressed log file pairs as needed.

Once received, the Importer utility can decompress the log data and automatically import it into a central Microsoft SQL or Oracle database for analysis by our Event Analyst® software.

If you want to deploy a log management solution, but are struggling with the concept of consolidating your data over limited bandwidth pipes, this tool is the answer. It's also a better system than having to deploy an agent to every computer on your network; using the Importer system, you typically only need to deploy one instance of Event Archiver to each local network / branch office.

As far as bandwidth considerations go, by transmitting the data in compressed form, the bandwidth necessary is only 7 to 10% that of the uncompressed log files. We have clients who have successfully used this solution over satellite links, so it has been proven in the field.

For more information on the Importer utility for Event Archiver, including licensing costs, please visit

Wednesday, February 13, 2008

UltraAdmin Version 6 Now Available

As promised, version 6 of UltraAdmin® is now available for download from the Dorian Software website. This version is being made available at no charge to any network administrator who wishes to use it. For those organizations and individuals that need priority support for the product, you can purchase it here.

We've also made available a PDF file listing all of UltraAdmin's features.

The new features in Version 6 include the utility's support for Microsoft Vista™ (important for those admins who are using it on their workstations), support for EVTX and EVT event log reading when installed on Vista, and a new database query tool that can be used to comb through data exported by UltraAdmin into a Microsoft Access database.

A rather nice, but often overlooked feature we introduced in Version 5, is UltraAdmin's ability to manage startup programs on servers and workstations remotely. Specifically, UltraAdmin can manage Run key programs, BHOs, Winlogon notification packages, and Startup folder links. Consequently, UltraAdmin can be used to remove or limit some types of spyware or malware that hook these areas to ensure their load at startup.

For example, an administrator using UltraAdmin can:

1.) Locate the offending executable or DLL that is loaded at startup.
2.) Change the NTFS permissions on that executable or DLL remotely so that no one has access to the file.
3.) Reboot the workstation or server in question remotely.
4.) Delete the offending files after the system has been restarted, and delete the startup hooks referencing those files.

Obviously, some forms of spyware/malware are more tenacious than others, and will be substantially harder to remove. For powerful anti-spyware software, we recommend CounterSpy™ from our friends at Sunbelt Software. Still, UltraAdmin remains an excellent tool in the admin's arsenal, especially for spyware/malware that be surgically extracted in the manner mentioned above.

Friday, February 8, 2008

UltraAdmin Is Now Free, and Features LogRefiner Technology

When you take a bit of a hiatus from blogging, you need to resurface with a bang. To that end, we're excited to announce that UltraAdmin Version 6 will be released next week. The best part?

We're making it available FREE to any network administrator who wants to use it. Fully functional, uncrippled, comprehensive Windows domain and Active Directory management at your fingertips.

We will sell priority support plans for it at $99.00 USD per admin per year, for those who desire that level of assistance.

Some of the biggest Version 6 highlights:

1.) It now supports Microsoft Vista™

2.) It can read both live and saved EVT and EVTX log files when run on Microsoft Vista. Admins won't need to crank up two different versions of the Microsoft Event Viewer to view their logs. We've placed some of our amazing LogRefiner™ technology inside UltraAdmin to accomplish this.

3.) It has a built-in query tool that complements the UltraAdmin Reporter/Exporter module, allowing the administrator to quickly comb through the Microsoft Access databases that UltraAdmin can populate with domain objects and their properties.

We'll post more information on UltraAdmin - including a link to download it and a comprehensive feature listing - early next week.