Hackin9

In follow up to yesterdays discussion re invoking OS commands with Rs system function, I wanted to show you just a bit of how straightforward it is to then use the resulting data.

After grabbing the Windowssecurity event log with a call to Log Parser and writing it out to CSV, you have numerous options driven by whats interesting to you.Perhaps youre interested in counts per Event ID to say what your Top 10 events are. The issue is, that Log Parser just grabbed all of the">secevt - read.columns(security.csv,c(EventID,TimeWritten,EventTypeName,Message), sep=,)">EventID, TimeWritten, EventTypeName, Message">columns into a new data frame, the contents of which are stored in">the other 11 columns are no longer cluttering to the in-memory data set. Want to count Event IDs?">ct "> x freq
1 1108 734
2 4611 4
3 4616 1
4 4624 159
5 4634 49
6 4648 272
7 4656 2653
8 4658 1900
9 ">srt ">top10 "> x freq
22 4703 81437
9 4662 27602
7 4656 2653
8 4658 1900
16 4690 931
1 1108 734
14 4688 618
15 4689 617
35 4957 400
11 4664 ">Bam, fast and flexible. My security event log has 81,437 Event ID 4703 (A user right was adjusted)entries, these parsed quickly from 118,154 total entries (147MB local file).How about visualizations of that same data? Yep, it all starts with something as simple as">Hopefully youre intrigued regarding options and available capabilities here. Feel free to comment or email me if youd like furtherinformation or resources with which">|">">

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status