If you need to do sql-like queries on the SAV logs, MSFT Log Parser 2.2 is great.
I've had great success with this query:
logparser.exe
"SELECT
add(HEX_TO_INT(SUBSTR(TO_String(Field1), 0, 2)), 1970) as Year,
add(HEX_TO_INT(SUBSTR(TO_String(Field1), 2, 2)), 1) as Month,
HEX_TO_INT(SUBSTR(TO_String(Field1), 4, 2)) as Day,
HEX_TO_INT(SUBSTR(TO_String(Field1), 6, 2)) as hour,
HEX_TO_INT(SUBSTR(TO_String(Field1), 8, 2)) as minute,
HEX_TO_INT(SUBSTR(TO_String(Field1), 10, 2)) as second,
Field2 as Event,
Field3 as Category,
Field5 as computer,
Field6 as User,
Field7 as virus,
REPLACE_STR(Field8, ',', 'C') as File,
Field9 as action1,
Field10 as action2,
Field11 as action_taken,
Field12 as virus_type,
Field13 as event_block
FROM C:\data\SAV_logs\isg\*.Log
to C:\data\SAV_logs\isg.csv
WHERE
Field2=5 and Field3=1"
-i:csv -o:csv -headerRow:Off -dtLines:1000 <--that smiley is the characters "colonO" - reads headerRow[colon]Off
Again without the extra line returns:
logparser.exe "select add(HEX_TO_INT(SUBSTR(TO_String(Field1), 0, 2)), 1970) as Year, add(HEX_TO_INT(SUBSTR(TO_String(Field1), 2, 2)), 1) as Month, HEX_TO_INT(SUBSTR(TO_String(Field1), 4, 2)) as Day, HEX_TO_INT(SUBSTR(TO_String(Field1), 6, 2)) as hour, HEX_TO_INT(SUBSTR(TO_String(Field1), 8, 2)) as minute, HEX_TO_INT(SUBSTR(TO_String(Field1), 10, 2)) as second, Field2 as Event, Field3 as Category, Field5 as computer, Field6 as User, Field7 as virus, REPLACE_STR(Field8, ',', 'C') as File, Field9 as action1, Field10 as action2, Field11 as action_taken, Field12 as virus_type, Field13 as event_block FROM C:\data\SAV_logs\isg\*.Log to C:\data\SAV_logs\isg.csv WHERE Field2=5 and Field3=1" -i:csv -o:csv -headerRow:Off -dtLines:1000
BTW the log format reference guide is here:
http://service1.symantec.com/SUPPORT/ent-security.nsf/0/57757c1d149130b788256c760069f7f7?OpenDocument
Message Edited by BigCompanySEPadmin on 12-09-2008 01:36 PM