Elmer Status

Coordinator
Aug 24, 2008 at 9:14 AM
Hi Visitor !

We are now in the first step of the project : ensuring we have all the knowledge/tools we need to go further.
So, the source code published is the code of "technical trials", a kind of proof of concept designed for each technical stuff of the project.
Technical stuffs are : Windows Service, Multithread, Event Log Management and ... How to work with CodePlex ;-)

In the next step : we will publish the analysis documents.

Regards

Cougar

note : Why 'Cougar' ?? Because it is my call sign on Falcon 4 Allied Force ^^
Sep 27, 2008 at 6:28 AM
Hi Cougar,

Looks like an interesting project.  Let me know if I can assist in any way.  I'm a long-term SQL Server DBA & scripty-weasel and have been tinkering with some of this myself recently.  I'm still grappling with some of the visualization issues given the sparse dimensions event log details give you based on the key value pairs, but I'll figure it out eventually.

In the meantime... I offer you this as a potential starting point for one of the parsing tasks.  By the time I got to this I'd already loaded a CSV dump of an event log into SQL Server and done some REPLACE() operations in T-SQL to place the whole Event Detail text block into a single line and throw in some clear field delimiters.  Take a look at what I've thrown together and you'll get a pretty quick idea of where the value of that comes in.


Option Explicit
Dim fso, fin, finstream, fout
Dim inputLine, outputLine
Dim eventID, eventDetailRow, eventDetailRecord
Dim eventDetailID, keyname, keyvalue
Dim i

eventDetailID = 1
Set fso = CreateObject("Scripting.FileSystemObject")
Set fin = fso.GetFile("D:\Documents and Settings\wz6yt9\My Documents\_Clients\TabCorp\SecLogDetail.csv")
Set finstream = fin.OpenAsTextStream(1, 0)
Set fout = fso.CreateTextFile("D:\Documents and Settings\wz6yt9\My Documents\_Clients\TabCorp\SecLogDetail_Trxfm.csv",True, False)

Do Until finstream.AtEndOfStream = True
    inputLine = Split(finstream.ReadLine(), ",", -1, 1)
  If UBound(inputLine) >= 1 Then
   eventID = inputLine (0)
   eventDetailRow = Split(inputLine(1), "|", -1, 1)
   for i = LBound(eventDetailRow) to UBound(eventDetailRow)
    eventDetailRecord = Split(eventDetailRow(i), ":", 2, 1)
    If UBound(eventDetailRecord) = 1 Then
      keyName = eventDetailRecord(0)
      keyValue = eventDetailRecord(1)
     fout.WriteLine CStr(eventDetailID) & "," & CStr(eventID) & ",""" & keyName & """,""" & keyValue & """"
     eventDetailID = eventDetailID + 1
    End If
   next

   WScript.Echo CStr(eventDetailID) & "," & CStr(eventID) & ",""" & keyName & """,""" & keyValue & """"
  End If
Loop

fout.Close
finstream.Close
Set fso = nothing



Cheers


Geddrick
geddrick@tpg.com.au
Sep 27, 2008 at 6:28 AM
Edited Sep 27, 2008 at 6:29 AM
Oops - looks like AJAX (ATLAS?) got the better of me and I managed to double-post.  Speaking of which - shouldn't you be able to delete your own posts in a forum like this?