What
is eBuzzSaw ?
Why is there an eBuzzSaw ?
Why is there a field for timeStored
and timeGenerated ?
Why do some unix machines ( like
solaris) have a timeGenerated and other UNIX machines don't ?
What are the sql fields used ?
What's up with "\x0" doing
in the "strings" and "message" fields ?
After using eBuzzSaw, I then get the
'login' screen. Why ?
How do I submit questions or get help
?
I can't login ... I know that my user
name and password are correct, why ?
What is the current set of reports
that I can run ?
How do I view the logs of a NT machine as in their "application","security","system"
etc form ?
How do I view the logs of a UNIX machine as in their
continuous form ?
How do I view all three/five NT logs from a particular
machine at one time ?
How can I sort the reports by a different column
or resort the table ascending/descending ?
Download from eBuzzSaw so you can use the log entries
locally to your machine ?
back
to the top
What
is eBuzzSaw ?
eBuzzSaw displays log entries. It allows the viewing of aggregate reports,
such as, how many log entries, by machine, by log facility in the last
hour. From this screen one could drill down to a specific machine/log
facility and see the detail logs.
back to the top
Why
is there an eBuzzSaw ?
To admin more than a couple of machines, especially NT's, having the
logs in one central location allows for monitoring the health/status
of the domain to be seen at one time as opposed to the separate viewing
of each machines log. One can point UNIX syslogs to a central
log server, but not NT's. With eBuzzSaw one
can :
>> sort
by critical event across the whole domain.
>> monitor
the quantity of logs to get a general sense of computer activity.
>> sort
by many different criteria across all machines as opposed to a single
machine.
Back
to the top
Why is there a field for timeStored and timeGenerated ?
The two fields are in some instances the same and some times different.
The 'Time Stored' is the time that the eBuzzSaw system collected
and stored in the the data base that given log entry. The 'timeGenerated'
is the time that the host generated the log. 'timeGenerated' is
only available on NT and solaris log entries. Otherwise the two fields
are set to the same value of 'Time Stored'.
Back to the top
Why do some UNIX machines ( like solaris) have a timeGenerated and other
UNIX machines don't ?
... well all should have a 'timeGenerated' ... but some UNIX machines
will have a truer 'timeGenerated' value due to the fact that when the
given UNIX machine generates and sends the syslog entry the sending
machine includes a time generated, making this time part of the syslog
message. eBuzzSaw can then parse this time from the syslog message and
use it. Solaris does this type of syslog message. NT machines
will also have separate timeGenerated and time Stored. These times are
local to the generating machine.
Back to the top
What are the sql fields used ?
The current sql fields include:
field names
|
NT values
|
UNIX values
|
* recNumber
|
868122
|
868123
|
Source
|
MSExchange Pop3 Interface
|
sendmail
|
Computer
|
XYZHOST
|
192.220.26.67
|
Length
|
NULL
|
NULL
|
Data
|
NULL
|
NULL
|
Category
|
1
|
NULL
|
RecordNumber
|
2310890
|
NULL
|
* TimeGenerated
|
978110918
|
978811506
|
* Timewritten
|
978110918
|
978811559
|
* EventID
|
11100
|
26
|
* EventType
|
4
|
6
|
ClosingRecordNumber
|
NULL
|
NULL
|
Strings
|
63.201.36.7\x0
|
MAIL INFO Jan 6 12:05:06 sendmail[3348]: MAA03346: to=xyz@ebuzzsaw.com,123@ebuzzsaw.com,
ctladdr=root (0/1), delay=00:00:05, xdelay=00:00:03, mailer=relay,
relay=ns2.downtown.net. 192.203.63.245], stat=Sent (OK)
|
Message
|
NULL
|
<22>Jan 6 12:05:06 sendmail[3348]: MAA03346: to=xyz@ebuzzsaw.com,123@ebuzzsaw.com,
ctladdr=root (0/1), delay=00:00:05, xdelay=00:00:03, mailer=relay,
relay=ns2.downtown.net. [192.203.63.245], stat=Sent (OK)
|
User
|
NULL
|
NULL
|
* m_logSource
|
application
|
MAIL
|
m_os
|
nt
|
UNIX
|
* m_userName
|
NULL
|
NULL
|
m_timeGenerated
|
2000-12-29 09:28:38.000
|
1/6/01 2:51:03 PM
|
m_syslog_host
|
XYZHOST
|
pm2-67.xyz-123.net
|
m_syslog_store_date
|
2000-12-29 09:30:38.000
|
1/6/01 2:51:55 PM
|
m_userDomain
|
NULL
|
NULL
|
m_userSIDtype
|
NULL
|
NULL
|
back to the top
What's
up with "\x0" doing in the "strings" and "message"
fields ?
The syslog data coming from the host machines can or may include null
characters, hex x00. Sql doesn't like null characters in fields. We
replace null characters with the ascii characters of "\x0 to act
as a substitute. Null characters are hex "00" and are not
NULL fields, which is a field that has no data.
Back to the top
After
using eBuzzSaw for some time I leave my browser with eBuzzSaw in it
and when I try to use it again, I get the 'login' screen and I'm forced
to give my username and password again, why ?
If your browser see's no session activity, ie no requests to eBuzzSaw,
your browser will time the session out and lose its security token (a
browser cookie). In this case. You'll need to log back in. This
is by design so that an unattended desktop will not allow anyone to
use eBuzzSaw after the browser times out.
Back to the top
How
do I submit questions or get help ?
On the bottom of each page is a link for "feedback
?". This will take you to the webbased help desk.
Back to the top
I
can't login ... I know that my user name and password are correct, why
?
It probably is due to your browser not excepting cookies.
Cookies is how we store your security token that lets eBuzzSaw know
you can view the syslog info contained in the data base.
Back to the top
What
is the current set of reports that I can run ?
report#
report description
======================================================================
3 HOST
4 host by LOG
5 host by log by SOURCE
6 eventType/priority by HOST
7 eventType/priority by host by SOURCE
8 eventType/priority by host by SOURCE 1,16 for NT and 0,1,2,3,4 for
UNIX
10 host by eventType
11 host by eventType by source
20 host by LOG - detail by log
50 user grouped by user
51 user sort by time excld 'system','iusr*',NULL
52 user excld 'system','iusr*',NULL
100 UNIX cpu,memory,disk
106 UNIX priority by HOST
107 UNIX priority by host by FACILITY
120 UNIX FACILITY
512 host by eventID 512 eventLog startup
513 host by eventID 513 system shutdown
528 host by eventID 528 successful logon
529 host by eventID 529 bad logon attempt
530 host by eventID 530 bad logon attempt: logon time restriction violation
531 host by eventID 531 bad logon attempt: account disabled
532 host by eventID 532 bad logon attempt: account expired
533 host by eventID 533 bad logon attempt: workstation restriction -
not allowed to logon at this computer
534 host by eventID 534 bad logon attempt: inadequate rights - as in
user atmpt console login to server
535 host by eventID 535 bad logon attempt: password expired
536 host by eventID 536 bad logon attempt: netLogon service down
537 host by eventID 537 bad logon attempt: unexpected error - ?!??
538 host by eventID 538 successful logoff
539 host by eventID 539 bad logon attempt: account locked out
627 host by eventID 627 bad logon attempt: NT AUTHORITY\ANONYMOUS tried
to change a password
642 host by eventID 642 PDCs change of secure channel passwords
644 host by eventID 644 user account Locked out
901 overview of events by host
902 overview of log entries by host
910 count of syslog entries by time written
911 count of syslog entries by time written by host
951 search using adhoch words with AND, NOT ...
998 sql rows in the last 'x' amount of time
999 sql count
back to the top
|