Some log management software in the marketplace attempts to tokenize and normalize security log data at the time of collection/import, necessitating 1.) a database platform for analysis, 2.) numerous table schemas to store the different types of tokens for different categories of events (e.g. taxonomies), 3.) revisions of said schemas as event tokens expand over time (often as a result of new operating systems and service packs).
The whole process above is pretty labor intensive, and if you're a forensic auditor or the administrator of a small network, setting up a database for this purpose can be a costly endeavor. You may just want to open an EVT/EVTX file and rip it down every which way to produce some nifty reports. Or import a handful of said files into Access ®, and then rip them down together.
We have opted for a different approach. Our PrecisionParser does the parsing of key Windows Security Log Description subfield data at the time the data is analyzed and reported against. It can work against a bunch of different formats, such as security log data still inside EVT/EVTX files, to comma-delimited text files and database tables produced by Event Archiver, our log collection and centralization software package.
Yes, you heard that EVTX part right. While some vendors still have their heads in the sand regarding EVTX compatibility for Windows Vista ™ and Windows Server ® 2008, Event Analyst can already parse the EVTX logs just as easily as the EVT versions, even if security log data from both operating systems resides together in one database table. This is a good thing, because the number of security events (as well as the tokens in their Description fields) have only expanded within Vista and 2008.
Here are some of the details on PrecisionParser inside Event Analyst:
As any veteran of security event log analysis can tell you, the subvalue name/data pairs in the Description field of Windows Security events are the golden nuggets that must be mined to generate meaningful reports. Existing users of Event Analyst have already enjoyed the capabilities of Event Analyst's prebuilt reports to extract, group, and sort this level of detail in a variety of categories, like logon activity and group management.
Now, Dorian Software has incorporated its exclusive PrecisionParser capability - a component of Dorian Software's exclusive LogRefiner technology - into Event Analyst's custom reporting engine. What does this mean to you? Plenty! Virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside Event Analyst's custom reporting engine. Want to group your 529 logon failures by Source IP Address and Authentication Package? No problem. Need to sort file access events by Handle ID? We've got that covered as well.
The benefits of Dorian's PrecisionParser capability are tremendous, and include:
True Log Format Independence - Parsable security log data formats include native EVT and EVTX files, comma-delimited text files produced by Event Archiver and Event Analyst, and Microsoft Access, SQL, or Oracle database tables produced by Event Archiver and Event Analyst. Dorian's multiple log format support stands in stark contrast to other vendor packages, which depend on multiple database table schemas in attempt to normalize log data at time of collection, rather than normalizing data at time of analysis.
True Operating System and Service Pack Level Independence - PrecisionParser can handle virtually all security log data collected from different Microsoft operating systems - from Windows NT 4.0 to Windows Server 2008. This is important as Microsoft frequently expands reported data in security log events over time, often after service packs are applied. If a custom-defined subfield is not present in a legacy operating system event, the custom reporting engine degrades gracefully, simply indicating that the field was not found.
Correlation Across Related, Yet Different Security Events - Correlation is possible among different security events that share common subfields in their descriptions. For example, many security events log handle identifiers, logon identifiers, and IP addresses. Custom reports paired with advanced filters can now be designed to show a variety of event activity that is in fact related via these fields.
Support For Multiple Occurrences of the Same Subfield - While less common in legacy security events, Windows Vista and Windows Server 2008 now often include the same subfield name twice in the Description field. For instance, Event ID 4724 describes the resetting of user passwords by an administrator. Yet the order of the occurrence of the user in the Description determines whose password was reset, and who actually reset the password. When defining custom fields for reports, Event Analyst allows you to make this subtle distinction by indicating if you would like to parse out the second, third, or nth occurence of that field.
Multiple Report Formats Remain Available For Presentation and Data Mining - As in previous versions, custom reports in Event Analyst will continue to be generated in both HTML and CSV formats. The printer-friendly HTML version of the report is excellent for presentation and review by management, whereas the CSV version of the report allows you to import raw, parsed subfield data from the description field into other software packages, such as Microsoft Excel ®. Frequent users of Microsoft Excel will be amazed at the level of analysis possible when reviewing CSV files with Excel's AutoFilter feature.