Jump to content

Log Refiner™ Technology

There are a number of complications associated with existing log strategies - usually designed only for the soon-to-be "legacy" EVT format - and the log data being generated by Windows Vista, Server 2008 and later versions via the new EVTX format. WhatsUp Event Log Management’s exclusive LogRefiner™ technology enables you to move to the EVTX format at your speed and on your terms. Many compliance standards require that log data be maintained for a period of multiple years. Therefore, in most cases, maintaining EVTX and EVT formats alongside each other will be necessary at least for some more time.

WhatsUp Event Log Management’s exclusive and patented LogRefiner™ technology offers the following key capabilities:

Down level EVT File Processing in Windows Vista and Later Versions

LogRefiner ™ technology can read, filter, and report on EVT files from down level systems directly alongside the EVTX files from Windows Vista and newer operating systems in the WhatsUp Event Analyst application. No information goes missing when converting down level EVT files into new formats and all event log fields are processed properly the first time.

Streamlined Fields between EVT and EVTX Logs

The EVTX log format supports more field types than the EVT version.  LogRefiner™ technology helps to automatically consolidate the expanded Keyword and Opcode fields specifically - into the Task (Category) field so that there is a common data structure when working with EVT and EVTX log files.

Field Consistency across Logs

In the Windows Vista Security Log, no information about the user performing the action or affected by the action is recorded in the ‘User’ field when an event is logged. Instead, all user information is placed in the ‘Description’ field of the event. LogRefiner™ technology adds the ability to place the most relevant user information back into the ‘User’ field as it reads and processes EVTX files. By helping maintain the consistency of log data and its formatting, this capability greatly aids the network security administrator or compliance officer review the consolidated data.

Success Audits versus Failure Audits

Another major change in the Windows Vista security log is that all events are recorded as “Informational.” To discern whether or not the event represents a failed or successful action, the administrator must refer to the ‘Keyword’ field of the event.  LogRefiner™ provides the ability to properly record whether or not the event was a Success Audit or Failure Audit even in the case of EVTX files, greatly aiding the reviewer of log data generated from different Windows host systems.

PrecisionParser ™ Capability Expands Correlation of both EVT and EVTX Logs

PrecisionParser - a component of LogRefiner Technology was introduced primarily to expand its correlation capability. Though an offshoot of LogRefiner, users don't have to wait until they work with the EVTX format to benefit from this powerful capability. With PrecisionParser, virtually any type of security event can now have its key subfields parsed out, grouped, and sorted inside WhatsUp Event Analyst's custom reporting engine.

WhatsUp PrecisionParser™ capability offers numerous benefits including:

True Log Format Independence

Parsable security log data formats include native EVT and EVTX files, comma-delimited text files produced by Event Archiver and Event Analyst, and Microsoft Access, SQL, or Oracle database tables produced by Event Archiver and Event Analyst. Dorian's multiple log format support stands in stark contrast to other vendor packages, which depend on multiple database table schemas in attempt to normalize log data at time of collection, rather than normalizing data at time of analysis.

True Operating System and Service Pack Level Independence

PrecisionParser technology can handle virtually all security log data collected from different Microsoft operating systems - from Windows NT 4.0 to Windows Server 2008. This is important as Microsoft frequently expands reported data in security log events over time, often after service packs are applied. If a custom-defined subfield is not present in a legacy operating system event, the custom reporting engine adapts gracefully, simply indicating that the field was not found.

Correlation across Related, Yet Different Security Events

Correlation is possible among different security events that share common subfields in their descriptions. For example, many security event logs handle identifiers, logon identifiers, and IP addresses. Custom reports paired with advanced filters can be designed using PrecisionParser ™ technology to show a variety of event activity that is in fact related via these fields.

Support for Multiple Occurrences of the Same Subfield

While less common in legacy security events, Windows Vista and Windows Server 2008 and later versions now often include the same subfield name twice in the ‘Description’ field. For instance, Event ID 4724 describes the resetting of user passwords by an administrator. Yet the order of the user listing in the ‘Description’ field determines whose password was reset, and who actually reset the password. When defining custom fields for reports, based on the PrecisionParser™ technology, WhatsUp Event Analyst allows you to make this subtle distinction by indicating if you would like to parse out the second, third, or ‘nth ’ occurrence of that field.