Endpoint Protection

 View Only

SAV 9, 10 log parsing with MSFT Log parser 2.2

  • 1.  SAV 9, 10 log parsing with MSFT Log parser 2.2

    Posted Dec 09, 2008 04:28 PM

    If you need to do sql-like queries on the SAV logs, MSFT Log Parser 2.2 is great.

     

    I've had great success with this query:

    logparser.exe

    "SELECT

         add(HEX_TO_INT(SUBSTR(TO_String(Field1), 0, 2)), 1970) as Year,

         add(HEX_TO_INT(SUBSTR(TO_String(Field1), 2, 2)), 1) as Month,

         HEX_TO_INT(SUBSTR(TO_String(Field1), 4, 2)) as Day,

         HEX_TO_INT(SUBSTR(TO_String(Field1), 6, 2)) as hour,

         HEX_TO_INT(SUBSTR(TO_String(Field1), 8, 2)) as minute,

         HEX_TO_INT(SUBSTR(TO_String(Field1), 10, 2)) as second,

         Field2 as Event,

         Field3 as Category,

         Field5 as computer,

         Field6 as User,

         Field7 as virus,

         REPLACE_STR(Field8, ',', 'C') as File,

         Field9 as action1,

         Field10 as action2,

         Field11 as action_taken,

         Field12 as virus_type,

         Field13 as event_block

    FROM C:\data\SAV_logs\isg\*.Log

         to C:\data\SAV_logs\isg.csv

    WHERE

         Field2=5 and Field3=1"

    -i:csv -o:csv -headerRow:Off -dtLines:1000       <--that smiley is the characters "colonO" - reads headerRow[colon]Off

     

    Again without the extra line returns:

    logparser.exe "select add(HEX_TO_INT(SUBSTR(TO_String(Field1), 0, 2)), 1970) as Year, add(HEX_TO_INT(SUBSTR(TO_String(Field1), 2, 2)), 1) as Month, HEX_TO_INT(SUBSTR(TO_String(Field1), 4, 2)) as Day, HEX_TO_INT(SUBSTR(TO_String(Field1), 6, 2)) as hour, HEX_TO_INT(SUBSTR(TO_String(Field1), 8, 2)) as minute, HEX_TO_INT(SUBSTR(TO_String(Field1), 10, 2)) as second, Field2 as Event, Field3 as Category, Field5 as computer, Field6 as User, Field7 as virus, REPLACE_STR(Field8, ',', 'C') as File, Field9 as action1, Field10 as action2, Field11 as action_taken, Field12 as virus_type, Field13 as event_block FROM C:\data\SAV_logs\isg\*.Log to C:\data\SAV_logs\isg.csv WHERE Field2=5 and Field3=1" -i:csv -o:csv -headerRow:Off -dtLines:1000

    BTW the log format reference guide is here:

    http://service1.symantec.com/SUPPORT/ent-security.nsf/0/57757c1d149130b788256c760069f7f7?OpenDocument

    Message Edited by BigCompanySEPadmin on 12-09-2008 01:36 PM