LogRefiner

Shifting to the EVTX Log Data Format

LogRefiner Technology May Prove Critical To Maintaining Your Log Management Strategy
There are a number of complications associated with existing log strategies - usually designed only for the soon-to-be "legacy" EVT format - and the log data being generated by Windows Vista and upcoming versions of Windows Server via the new EVTX format.

But, Dorian's exclusive LogRefiner technology enables you to move to the EVTX format at your speed and on your terms. Many compliance standards require that log data be maintained for a period of years. Therefore, in most - if not all - cases, maintaining EVTX and EVT formats alongside each other will be necessary at least for some time after IT organizations begin to adopt the new format.

Be wary of log products on the market that require management of logs in one but not both formats. Also, be wary of proprietary back end databases. Both of these factors will not only further complicate migration matters for you in the future, they will likely cause serious disruptions in your log management strategy. If your organization's compliance efforts rely on log management - as many do - such a disruption can not be afforded.

Whether or not your organization plans on adopting the EVTX format, why not be ready for it anyway? Capabilities powered by LogRefiner technology that appear in Event Analyst include:

Downlevel EVT File Processing in Windows Vista
Dorian's exclusive LogRefiner technology can read, filter, and report on EVT files from downlevel systems directly alongside the EVTX files from Windows Vista and newer operating systems.

With Event Analyst's exclusive new technology, no information goes missing when converting downlevel EVT files into new formats – all event log fields are processed properly the first time.

Streamlined Fields Between EVT and EVTX Logs
Did you know that Windows Vista’s EVTX logs have even more fields? Event Analyst can now be instructed to automatically consolidate these fields - the Keyword and Opcode fields specifically - into the Task (Category) field so that you can have a uniform field structure when working with EVT and EVTX log files.

Field Consistency Across Logs
In the Windows Vista Security Log, no information about the user performing the action or affected by the action is recorded in the User field when an event is logged. Instead, all user information is placed in the Description of the event.

Event Analyst, however, has the ability to place the most relevant user information back into the User field as it reads and processes EVTX files.
By helping maintain the consistency of log data and its formatting, this feature greatly aids the administrator or compliance officer in charge of reviewing the consolidated data.

Success Audits Versus Failure Audits Defined

Another major change in the Windows Vista security log is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the Keyword of the event.

But, Event Analyst - when working with security EVTX Files - has the ability to properly record whether or not the event was a Success Audit or Failure Audit, greatly aiding the reviewer of log data generated from both EVT and EVTX log files.

PrecisionParser ™ Capability Expands Correllation of
Both EVT and EVTX Logs

In Event Analyst 7, a component of LogRefiner technology - PrecisionParser - was introduced primarily to expand correlation capability. Though an offshoot of LogRefiner, users don't have to wait until they work with the EVTX format to benefit from this powerful capability.

With PrecisionParser, virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside Event Analyst's custom reporting engine.

The benefits of Dorian's PrecisionParser capability are tremendous, and include:

True Log Format Independence
Parsable security log data formats include native EVT and EVTX files, comma-delimited text files produced by Event Archiver and Event Analyst, and Microsoft Access, SQL, or Oracle database tables produced by Event Archiver and Event Analyst. Dorian's multiple log format support stands in stark contrast to other vendor packages, which depend on multiple database table schemas in attempt to normalize log data at time of collection, rather than normalizing data at time of analysis.

True Operating System and Service Pack Level Independence
PrecisionParser technology can handle virtually all security log data collected from different Microsoft operating systems - from Windows NT 4.0 to Windows Server 2008. This is important as Microsoft frequently expands reported data in security log events over time, often after service packs are applied. If a custom-defined subfield is not present in a legacy operating system event, the custom reporting engine degrades gracefully, simply indicating that the field was not found.

Correlation Across Related, Yet Different Security Events
Correlation is possible among different security events that share common subfields in their descriptions. For example, many security events log handle identifiers, logon identifiers, and IP addresses. Custom reports paired with advanced filters can now be designed to show a variety of event activity that is in fact related via these fields.

Support For Multiple Occurrences of the Same Subfield
While less common in legacy security events, Windows Vista and Windows Server 2008 now often include the same subfield name twice in the Description field. For instance, Event ID 4724 describes the resetting of user passwords by an administrator. Yet the order of the occurrence of the user in the Description determines whose password was reset, and who actually reset the password. When defining custom fields for reports, Event Analyst allows you to make this subtle distinction by indicating if you would like to parse out the second, third, or nth occurence of that field.

Multiple Report Formats Remain Available For Presentation and Data Mining
As in previous versions, custom reports in Event Analyst will continue to be generated in both HTML and CSV formats. The printer-friendly HTML version of the report is excellent for presentation and review by management, whereas the CSV version of the report allows you to import raw, parsed subfield data from the description field into other software packages, such as Microsoft Excel. Frequent users of Microsoft Excel will be amazed at the level of analysis possible when reviewing CSV files with Excel's AutoFilter feature.