LogAgent 4.0, Windows log management tool
By Floydman, floydian_99@yahoo.com
May 14th, 2003

This paper is available online at http://securit.iquebec.com

This paper can be freely distributed and reproduced, as long as correct credentials are maintained, and that no modifications are made to this file.  For corrections, suggestions or comments, please send me an e-mail.

Abstract

The goal of this paper is to present LogAgent 4.0, a tool made in Perl for recollecting log files from various applications and various machines into a central location in real-time, in order to improve the administrator's network activity awareness.  Now includes the ability to monitor the Event Viewer logs, and the ability to send output to the printer, and adds some more flexibility.  New to version 4.0 is the ability to log the date and time, and the Pro version now generates some logs about your system configuration, and provides automated ADS (alternate data stream) scanning and file integrity checking.

Preface

LogAgent 3.0 was great, but as soon as I started to work on the LogIDS project, it became obvious to me that it was lacking a key feature, a date-time stamp, since the logs handled by LogAgent are so varied on forms that I cannot assume that the software generating this log provides this information.  Since this changes the config file used, and can possibly alter the log files produced with LogAgent from version 3.0 (because of the new added fields), the version numbering got to 4.0.  Version 4.0 Pro also sports some new features of its own, intended for use with LogIDS, but can be just as valuable data by its own.  Special thanks to Harlan Carvey for allowing me to re-use some of his own code.

Targeted audience

This document is presented to anyone who has interests in computer security, NT/2K Administration, computer and network monitoring, intrusion detection, Perl programming and computing in general.

Table of contents

1. What is LogAgent?
2. History behind LogAgent
3. Version History
4. Known issues
5. How to install
6. How to configure
7. How to use
8. Conclusion
Appendice A. Sample log files


1. What is LogAgent?

LogAgent is a piece of software made in Perl designed to monitor ascii log files and redirect any change made to it to a central location.  Since version 3.0, this is also done for the logs in the Event Viewer.  The purpose of this is to add flexibility in some security (or other) applications on the choice of destination folder for the log files.  The ability to specify your own destination folder for log files could be a crucial requirement in your specification for a security software, and good products can be overlooked simply because they lack this single feature.  LogAgent tries to fill that gap by monitoring the log files on the local machine, and then redirects any new line appended to it to the destination of your choice, either on another folder on the same machine or to a remote server for network-wide log file centralization.  You can display the output on the console or send it to a printer.  It can also be run as a Windows Service, hiding it from the user's view on the desktop.

2. History behind LogAgent

First of all, I'd like to thank Amine Moulay Ramdane, who programmed the AdvNotify PPM package.  AdvNotify provides the functions needed to monitor directories and report when changes are made to these directories.  Unfortunately, her website is now inactive.  LogAgent 1.0 was created in september 2000.  At the time, I had written a paper about antivirus protection and deployment in an enterprise network, and one of the topics covered in this paper was the benefits from the centralization of the antivirus logfiles on the network.  As I played with other antivirus products and some personal firewalls, I found out that some of them had their log file destination path hardcoded in the software, making it impossible to choose a different location, and thus preventing the centralization of log files scattered around on a network.  So I decided to make a program that would fill that gap.

The original paper of LogAgent 1.0 was presented at the Seguridad en Computo conference in Mexico City in November 2000.  Back then, it was a simple script that I now consider to be "proof of concept" code, but not quite ready to handle the job in the real world.  Version 2.0 beta was released in April 2002, which was a big improvement over the previous version.  It allowed for more flexible configuration and was cleaner and more structured code.  Version 2.1 fixed the design flaw that caused log lines to be dropped when changes were quicker than what LogAgent could keep track of.

Version 3.0 adds the ability to monitors the logs in the Event Viewer in real-time, converting them in ASCII before sending it to your specified folders (always ON). You can also send the output to the printer (still considered in beta) if you wish, and specify NULL directories so you can modify LogAgent's behavior at will, since it can be used only to view the logs without moving them, or view only the Event Viewer logs for example.  It also reports its own activity in the Event Viewer logs, making it now possible to track LogAgent without relying on other software activity.

LogAgent 3.0 Pro also has the ability to run in the background as a Windows service, making it suitable to run on a user desktop without being in the way.  It is also built for better performance, and log files are kept small for efficiency.  Event Viewer logs are cleaned every shutdown, to prevent manual management, and thus every record is taken care of at boot-up time since there is no duplication of reporting an event.  All this is being made so that it can be easier to manage, without any care to bring to the local log files in order to maintain LogAgent's effeciency.

The single improvement made in version 4.0 that applies to both the Open Source version and the Pro version is the ability to log date and time stamps, something that should have been there long ago.  Version 4.0 Pro sports additionnal features from 3.0 Pro, which are: automatic reporting of running services, reporting of open shares on the system, reporting of items that are configured to start at boot-up (ie startup folders, registry keys), automatic ADS scanning on all local NTFS volumes and a file integrity checker of the like of Tripwire, using MD5 and SHA1 hashes.  These features are started automatically each time LogAgent starts.  If LogAgent is installed on a machine that never reboots, you can use adsscan.exe and integcheck.exe as standalone tools, or schedule shutdown/restart of LogAgent on the machine to generate at least daily data.  Users of the Open Source version can also use adsscan.exe and integcheck.exe, but they will have to handle the launching of it by themselves.  As for the rest of the info gathered by the Pro version, similar results can be achieved by using or modifying the code provided at Harlan Carvey's page at  http://patriot.net/~carvdawg/perl.html.  This supplemental data makes LogAgent not only a log monitoring tool, but also an active part of your intrusion detection strategy.  In fact, this supplemental data is perfectly suited for use with my new log-based intrusion detection system, LogIDS 1.0.

3. Version History

Changes from version 3.0 Pro to version 4.0 Pro include:

- Same changes as between 3.0 Free and 4.0 Free

- Running as a service now disabled when running under evaluation license

- Upon each LogAgent launch, now reports Running Services in file services.log

- Upon each LogAgent launch, now reports on open shares in file shares.log

- Upon each LogAgent launch, now reports on startup items in file startup.log

- Upon each LogAgent launch, now starts an alternate data stream scanner which reports found items in file adsscan.log

- Upon each LogAgent launch, now starts an double-hash (MD5 and SHA1) file integrity checker that reports integrity checks failed in file integrity.log

Changes from version 3.0 Free to version 4.0 Free include:

- ability to log date and time

- field separator is now ',' instead of ' ' previously

- local Event Viewer logs are now broken into multiline entries so it ends up similar in the centralized logs for all the machines, including the central monitoring agent

- Event Viewer reports now have data related to EventID, Event Type and Category appended to the record

- Reporting of the first entries in the Event Viewer now handled more promptly

- Some minor bugs in the data formatting have been fixed for proper handling by LogIDS 1.0

Changes from version 3.0 Free to 3.0 Pro include:

- ability to run LogAgent as a Windows service (no console), or as a normal program

- complete management of monitored log files and Event Viewer logs, ensuring that all records are accounted for, for better performance and easier management (since no assumptions can be made of LogAgent's configuration, purged data is kept in a local back-up file with a .blg extension (for Backed-up LoG))

- binary available for free, with a 5-users evaluation license.  Additionnal licenses can be purchased at my website http://securit.iquebec.com

Changes from version 2.1 to 3.0 Free include:

- ability to monitor the Event Viewer logs (always on) just like any normal ASCII log file

- ability to send output to the printer (this feature is still considered beta, see Known Issues for more details)

- ability to specify NULL directories in config.txt and mondir.txt, for a more flexible behavior

- now reports its own activity (Starting and Shutting down) in the Event Viewer, then reported by LogAgent itself, making it possible to detect if it's been disabled on a computer, for example

- configuration files are locked during execution

- fixed the bug that made LogAgent react to changes made to binary files present in monitored directories

- some minor bugs have been fixed

- different installation procedure

Changes from version 2.0 beta to 2.1 include:

- you can specify filenames instead of simply its path, which allows for keeping track of linecount.  If you only want to specify a logfile path without the actual filename (which is how LogAgent used to work), simply put a *

- keeping track of linecount allows to fix the line-drop problem previous versions encountered.  If the filename is omitted, linecount is still taken care of.  If lines are deleted from a file when it is being monitored, LogAgent will reset the linecount to 0 and redump the whole file.

Changes from version 1.0 to 2.0 beta include:

- the configuration is now independant of source-code (big improvement).  The configuration is now handled by two files, config.txt and mondir.txt

- the programming style is procedural, so it makes it for simpler code to read

- Lots of comments in the code to make it easier to understand how the program works

- checks the config files for empty spaces, empty lines, bad characters, switch '/' to '\', ...

- can have as many output directories (local or remote) as you want (one directory path per line in mondir.txt)

- can have as many monitored directories (local) as you want, listed one directory path by line after the fourth line in config.txt

- the ability to switch on and off the logging of the IP, hostname and username (first 3 lines of config.txt)

- the ability to switch on and off the display of information on the console (the fourth line of config.txt)

- using the SHOWCONSOLE option, you can actively keep an eye on the activity in your log files by monitoring your central log directory with LogAgent

4. Known issues

There are some known issues with this program.  Nothing too bad, but it is good for you to know about these little quirks in case you find that LogAgent is not behaving the way you expected.

- LogAgent cannot be used to monitor IIS log files.  Because of some strange manner that IIS manages its log files, it makes LogAgent crash miserably as soon as it writes to it.  IIS is the only software know to me at this date that LogAgent cannot handle.  Help on this subject would be appreciated.

- printing is still considered a beta feature, since during my tests it made LogAgent crash at some point if there is a too large volume of output to print in a short lapse of time (several thousands of lines per minute).  It reported that it could not connect with LPT1 anymore, as if the spooler was refusing any more jobs, but I still had plenty of HD space for spooling.  But under normal conditions, it shoud work fine.

- LogAgent 4.0 Free could lose performance and/or show erratic behavior if the log files become too big (several 1000's of lines, over 1 mb) or if the Event Viewer logs become full.  To solve this, you have to do a regular maintenance of your log files.  These problems are taken care of automatically in LogAgent 4.0 Pro.

- When running in console mode, LogAgent has the same properties as a regular DOS programs.  This means you can change the number of lines displayed and the lines buffer size in the Properties submenu (when clicking in the left-hand upper-corner of the console window).  This enables for better viewing size.

- When running as a service, make sure you turn SHOWCONSOLE to N, as it will alow for better performance.  Even if there is no visual output to display data on, the single fact of "printing" still takes CPU cycles, and under heavy conditions this could slow significantly performance.

- in mondir.txt, make sure that each entry is a full path and file name.  For log files that you don't know in advance the name of the file, put a '*'.

- in config.txt, make sure that all your path names end with a '\'

- Configuration files are locked when the program is running.  If you wish to deploy a new configuration on existing installations of LogAgent 3.0 or 4.0, you have to stop the program first.  With LogAgent 3.0 Pro or 4.0 Pro, when running as a service, simply type the command "net stop logagent" to stop it, and "net start logagent" to make it run again.

- Not really an issue, but more of an installation note, if you plan to compile LogAgent manually (without the install pack).  You need to install the AdvNotify Perl module originally available at http://www.generation.net/~aminer/Perl/.  However, this site now appears to be down, so you can find the perl modules at http://www.geocities.com/floydian_99/AdvNotify.zip.  If you use LogAgent on a single machine with Perl installed, this will work fine, but if you want to deploy it on a network you need to change the DLL_PATH variable in AdvNotify.pm from "$DLLPath =$Config{installsitearch}."\\auto\\Win32\\AdvNotify\\advnotify.dll";" to "$DLLPath =$ENV{SystemRoot}."\\System32\\advnotify.dll";" before compilation, and copy the file advnotify.dll to \winnt\system32.  Advnotify.pm and AdvNotify.dll are buried deep in the Perl tree, so just make a file find to locate them.  This way it will be easier to deploy.

- On NT4, when you do a File, Find, there may be a delay before the Find window appears.  This is caused somehow by AdvNotify, but I don't know more about it and the problem is not consistent.

Other issues have currently been fixed.

5. How to install

This works on Windows NT4 SP3 and above, Windows 2000 and XP.

To install LogAgent, 

- Download the free or the commercial version zip files at http://securit.iquebec.com/

- Unzip the file in a directory of its own

- Copy AdvNotify.dll to %WinDir%\system32\

- The files config.txt, mondir.txt and log40free.exe need to be in the same directory for the free version to work; the files config.txt, mondir.txt, license.txt, adsscan.exe, hashgen.exe, integcheck.exe, hash_conf.txt and log40pro.exe need to be in the same directory for the commercial version to work.  hashgen.exe will also eventually produce a hash_log.txt file that will be in the same directory.  Additionaly, the file logserv.exe needs also to be in the same directory if you intend to use LogAgent Pro as a service.

- Configure LogAgent using config.txt and mondir.txt (and hash_log.txt for the integrity checker, and license.txt if you purchased supplemental licenses for LogAgent 4.0 Pro)

- Run the executable to make it run normally (or use a shortcut in the Start Up group)
  OR
- Type 'logserv install' to install LogAgent as a service (run under the System account, starts automatically).  Alternatively, type 'logserv remove' to remove the service.  You need administrative rights on the local machine to add LogAgent as a service.  Once installed as a service, it will start automatically at next boot-up.  Alternatively, you can start it right away just like any normal service by typing 'net start logagent', and stop it by typing 'net stop logagent'.

You can also use the batch file setup.bat for deployment (make sure to make to correct changes to mondir.txt, config.txt and license.txt before copying them to your workstations).  Feel free to modify this batch file to suit your deployment purposes.

6. How to configure

LogAgent 4.0, like its predecessors, is configured via 2 files, config.txt and mondir.txt.  LogAgent 4.0 Pro also have the file license.txt associated with it; this file contains the license string to validate the use of the Pro version.  It ships by default with a 5-users evaluation license.  You only need to modify this file if you purchased additional licenses for your network.  LogAgent 4.0 Pro companion program hashgen and integcheck are configured with hash_conf.txt and hash_log.txt (generated by hashgen.exe).  Finally, hashgen.exe, integcheck.exe and adsscan.exe all use config.txt in order to have the same config as LogAgent for reporting their activities.

config.txt consists of 8 headered lines and its associated configuration (Y/N), followed by the list of DESTINATION directories where you want to send your logs.  I've put the word in capital letters, since this has lead to a little bit of confusion with some users of the previous versions.  You can put as many destination folders as you want, 1 per line, local or remote.  Alternatively, you can also put a NULL directory, if you want to keep your logs where they are (for example, if you only want to watch the logs, or simply print it).

The headers of config.txt are as follows:

LOGIP= Put Y if you want to append the IP adress of the local machine to your log
LOGHOST= Put Y if you want to append the hostname of the local machine to your log
LOGUSER= Put Y if you want to append the username to your log (not useful when run as a service)
LOGDATE= Put Y if you want to append the date of logging to your log
LOGTIME= Put Y if you want to append the time of logging to yout log
SHOWCONSOLE= Put Y if you want to display the logs on the console, put N when run as a service for better performance
LINEPRINT= Put Y to send the output to LPT1 (this feature is still considered beta)
LINEPRINT BUFFER= Put the number of lines you want to buffer before it is sent to the printer (a sorry emulation for lineprinting), this line is not taken into account when LINEPRINT is set to N

Then followed by a list of destination directory where you want to send your logs:
C:\dir1\
\\server1\share$\
...

or alternatively, simply type
NULL

The file mondir.txt contains a list of log files you want LogAgent to monitor and collect data from, 1 file per line.  This is a slight change from previous versions introduced with version 3.0, where it was a list of directories to monitor, specification of the filename was optional.  This is not a fundamental change, since you can still specify directories without knowing the filename; in this case, simply put a '*' as the filename.  This is to ensure the integrity of the pathname (avoid to forget the \ at the end of the folder name).  Alternatively, if you only wish to monitor the Event Viewer and nothing else, simply type NULL in the file.

7. How to use

With the new flexibility added in LogAgent 4.0, it is now easier than ever to modify its behavior and make it suits your log management needs.  Depending on your network architecture, you can configure it so that it monitors the event Viewer logs and some security applications (antivirus, personal firewall, etc.) in the background (as a service) on your users desktops and centralize this data on a single file server, and configure it on your file server to monitor and display on the console and on a printer the local Event Viewer logs and the centralized log files your server hosts.

user desktop:	------------------------------->	File server servername:
config.txt=						config.txt=
LOGIP=Y							LOGIP=N
LOGHOST=Y						LOGHOST=N
LOGUSER=Y						LOGUSER=N
LOGDATE=Y						LOGDATE=N
LOGTIME=Y						LOGTIME=N
SHOWCONSOLE=N						SHOWCONSOLE=Y
LINEPRINT=N						LINEPRINT=Y
LINEPRINT BUFFER=0					LINEPRINT BUFFER=30
\\servername\shareddir$\				NULL

mondir.txt=						mondir.txt=
c:\Program Files\Antivirus\Log\virlog.txt		C:\shareddir\*
C:\Winnt\Internet Logs\*				

Alternatively, on your centralized file server, you could wish to move your logs from the shared folder to a directory accessible only by a local account, in order to make your logs more secure, by configuring it like this:

config.txt=
LOGIP=N
LOGHOST=N
LOGUSER=N
LOGDATE=N
LOGTIME=N
SHOWCONSOLE=Y
LINEPRINT=Y
LINEPRINT BUFFER=30
C:\secureddir\

mondir.txt
C:\shareddir\*

On a bigger environment, you could easily forward each departmental users on departmental log servers, where each department support staff could keep an active eye on the logs via the console, and centralize each of these servers to a central corporate server where logs are backep up and/or printed for secure storage.  Your imagination is the limit.  Note that the field LOGUSER is valuable mainly when LogAgent is run as a normal program (like LogAgent 3.0 Free and previous versions), but it is far easier for a user and/or intruder to kill the process under this mode.  When run as a service (LogAgent 4.0 Pro), LogAgent runs under the SYSTEM account, making it more reliable as a security program, but it obfuscates the real logged on username.

adsscan.exe is a standalone program (but it still needs config.txt to be in the same dir) that will scan all local fixed NTFS partition for alternate data streams.  Alternate data streams, or ADS, is an undocumented feature of the NTFS file system, allowing a user to append a file to another, without being visible to the filesystem interface (Windows Explorer or dir command at the command prompt).  For example, someone could append an executable file to a bitmap, and all you could see is the bitmap.  ADS are accessible from the command prompt by calling the first file, followed by ':', then the hidden file.  For example, after you use the example script astream.pl provided on Harlan Carvey's page (http://patriot.net/~carvdawg/perl.html, the script creates a text alternate data stream to a bitmap), you can access the original file by typing 'mspaint lanmannt.bmp' and you can access the ADS data by typing 'notepad lanmannt.bmp:test.txt'.  For more information about ADS, check Google with the search string 'alternate data streams'.  LogAgent 4.0 Pro launches adsscan.exe automatically for you.

hashgen.exe and integcheck.exe are the two parts of a file system integrity checker, in the like of famous software Tripwire.  This concept is also known as host-based intrusion detection.  In fact, these programs are derived from Harlan Carvey's scripts presented in the appendices of one of my previous papers, "A poorman tripwire-like system on Windows 9x/NT".  Both of these files relies on config.txt to know where to send their own logs.  They use MD5 and SHA1 hashes for better security than a single hash.  hashgen.exe needs the file hash_conf.txt to know for which files it has to produce a hash for, and sends its output to hash_log.txt.  hash_conf.txt is a list of files or directories (non-recursive) you want to check for integrity.  Even if I made every step possible to keep these files locked when LogAgent is running, it is still possible to simply overwrite them.  For this reason, if hashgen.exe is overwriting an existing hash_log.txt file, it will report you of doing so, pointing out for potential abuse.  In theory, you should need to run hashgen only once, unless you make changes to your system, or wish to include files that were not taken into account previously.  The rest of the time, you will run integcheck.exe, who will test your system integrity against hash_log.txt.  Discrepancies are forwarded to the destinations specified in config.txt.  If you have not run hashgen.exe prior to launching LogAgent 4.0 Pro, LogAgent will run hashgen.exe for you, but hash_log.txt will not be locked until next time LogAgent is started.  Otherwise, LogAgent 4.0 Pro will run automatically integcheck.exe for you.

The rest of the data generated by LogAgent is derived from previous work from Harlan Carvey.  It is generated automatically, and the data is automatically forwarded to the destinations specified in config.txt.

8. Conclusion

Now in its fourth version, LogAgent finally provides all the logging capabilities every Windows network administrator could wish for, and even more.  Not only can it monitor and forward regular ASCII log files, it can now do the same thing with the Event Viewer logs (check your auditing options in the User Manager for logging granularity, you also have to turn auditing on).  Centralized logs can be displayed in real-time on the console or sent to a printer.  In short, it finally brings Windows log management to a level comparable to what is done on Unix platforms, and one can only wonder why this has not been done before by Microsoft itself.

On top of that, LogAgent 4.0 Pro generates its own log related to specific aspects of intrusion detection/forensics: services run, open shares, startup items, alternate data streams detection and intregrity checking.  The ADS scanner and integrity checker can also be used as standalone programs by users of LogAgent 4.0 Open Source.

Now, this will bring log centralisation and analysis to a new summit in the Windows world, but this will eventually also bring the problem of having too much logs to handle.  One way to solve this problem is to break down your logs in centralized "units", for example by department, in order to break the volume of the whole network to be handled by various teams.  Another solution would be to have an automated analyzer that could simplify the administrator's job by delivering the information in an easy-to-understand format, which is the goal that aims to achieve LogIDS 1.0

Appendice A. Sample log files

Here is a small sample of log files that can be monitored using LogAgent.  Displayed here is a sample from Event Viewer, and some logs generated by ZoneAlarm, GetRight, Winetd and ComLog, gathered from various sessions.

AppEvent.log

10.0.0.2 Application Event Entry 0:
Time Generated : Thu Feb 27 14:29:38 2003
Time Written : Thu Feb 27 14:29:38 2003
Computer: DARKSIDE   Source: LogAgent started successfully


10.0.0.2 Application Event Entry 1:
Time Generated : Thu Feb 27 14:31:43 2003
Time Written : Thu Feb 27 14:31:43 2003
Computer: DARKSIDE   Source: LogAgent terminated.

SysEvent.log

10.0.0.2 System Event Entry 1:
Time Generated : Sun Mar  2 15:21:19 2003
Time Written : Sun Mar  2 15:21:19 2003
Computer: DARKSIDE   Source :atapi
The device, \Device\ScsiPort0, did not respond within the timeout period.

10.0.0.2 System Event Entry 2:
Time Generated : Sun Mar  2 15:22:38 2003
Time Written : Sun Mar  2 15:22:38 2003
Computer: DARKSIDE   Source :atapi
The device, \Device\ScsiPort0, did not respond within the timeout period.

10.0.0.2 System Event Entry 3:
Time Generated : Sun Mar  2 15:23:26 2003
Time Written : Sun Mar  2 15:23:26 2003
Computer: DARKSIDE   Source :EventLog
The Event log service was stopped.

10.0.0.2 System Event Entry 4:
Time Generated : Sun Mar  2 15:57:20 2003
Time Written : Sun Mar  2 15:57:20 2003
Computer: DARKSIDE   Source :EventLog
Microsoft (R) Windows NT (R) 4.0 1381 Service Pack 6 Uniprocessor Free.

10.0.0.2 System Event Entry 5:
Time Generated : Sun Mar  2 15:57:20 2003
Time Written : Sun Mar  2 15:57:20 2003
Computer: DARKSIDE   Source :EventLog
The Event log service was started.

10.0.0.2 System Event Entry 6:
Time Generated : Sun Mar  2 16:02:28 2003
Time Written : Sun Mar  2 16:02:28 2003
Computer: DARKSIDE   Source :Srv
The C: disk is at or near capacity.  You may need to delete some files.

10.0.0.2 System Event Entry 7:
Time Generated : Sun Mar  2 16:02:28 2003
Time Written : Sun Mar  2 16:02:28 2003
Computer: DARKSIDE   Source :Srv
The G: disk is at or near capacity.  You may need to delete some files.

10.0.0.2 System Event Entry 8:
Time Generated : Sun Mar  2 16:02:28 2003
Time Written : Sun Mar  2 16:02:28 2003
Computer: DARKSIDE   Source :Srv
The H: disk is at or near capacity.  You may need to delete some files.

SecEvent.log

10.0.0.2 Security Event Entry 1:
Time Generated : Wed Feb 26 13:39:05 2003
Time Written : Wed Feb 26 13:39:05 2003
Computer: DARKSIDE   Source: Security
A process has exited:
	Process ID:	2167673056
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

10.0.0.2 Security Event Entry 2:
Time Generated : Wed Feb 26 13:39:08 2003
Time Written : Wed Feb 26 13:39:08 2003
Computer: DARKSIDE   Source: Security
A new process has been created:
	New Process ID:	2212257824
	Image File Name:	log30pro.exe
	Creator Process ID:	2153769312
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

10.0.0.2 Security Event Entry 3:
Time Generated : Wed Feb 26 13:39:10 2003
Time Written : Wed Feb 26 13:39:10 2003
Computer: DARKSIDE   Source: Security
Privileged object operation:
	Object Server:	EventLog
	Object Handle:	0
	Process ID:	2154066208
	Primary User Name:	SYSTEM
	Primary Domain:	NT AUTHORITY
	Primary Logon ID:	(0x0,0x3E7)
	Client User Name:	Administrator
	Client Domain:	DARKSIDE
	Client Logon ID:	(0x0,0x251D)
	Privileges:	SeSecurityPrivilege

10.0.0.2 Security Event Entry 4:
Time Generated : Wed Feb 26 13:39:13 2003
Time Written : Wed Feb 26 13:39:13 2003
Computer: DARKSIDE   Source: Security
A new process has been created:
	New Process ID:	2193488416
	Image File Name:	pslist.exe
	Creator Process ID:	2191546144
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

10.0.0.2 Security Event Entry 5:
Time Generated : Wed Feb 26 13:39:16 2003
Time Written : Wed Feb 26 13:39:16 2003
Computer: DARKSIDE   Source: Security
A process has exited:
	Process ID:	2193488416
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

10.0.0.2 Security Event Entry 6:
Time Generated : Wed Feb 26 13:39:33 2003
Time Written : Wed Feb 26 13:39:33 2003
Computer: DARKSIDE   Source: Security
A new process has been created:
	New Process ID:	2184548736
	Image File Name:	pskill.exe
	Creator Process ID:	2191546144
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

10.0.0.2 Security Event Entry 7:
Time Generated : Wed Feb 26 13:39:33 2003
Time Written : Wed Feb 26 13:39:33 2003
Computer: DARKSIDE   Source: Security
A process has exited:
	Process ID:	2184548736
	User Name:	Administrator
	Domain:		DARKSIDE
	Logon ID:		(0x0,0x251D)

ZALog.txt

PE,2000/09/25,18:53:00 -5:00 GMT,ZoneAlarm Internet Security Utility,203.110.251.2:53,N/A
FWIN,2000/09/25,18:57:00 -5:00 GMT,65.229.239.88:1901,65.227.240.78:139,TCP
FWIN,2000/09/25,19:19:22 -5:00 GMT,65.228.69.89:2936,65.227.240.78:139,TCP
PE,2000/09/25,19:37:49 -5:00 GMT,Xnews,203.110.251.2:53,N/A
PE,2000/09/25,19:38:06 -5:00 GMT,Xnews,203.110.251.2:53,N/A

getright.log

2000/09/25-19:04:36:  File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:39:  (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:40:  Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:58:  (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:04:58:  Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:16:  File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:16:  (Re)Started download: http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:05:17:  Could not resume (restarting from 0): http://rapidus.tucows.com/files/fd-update.zip
2000/09/25-19:09:20:  File: D:\downloads\Hack\proxy\CProxy.zip.GetRight = http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:09:21:  (Re)Started download: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:09:22:  Resumed: http://rapidus.tucows.com/files2/CProxy.zip at: 0 
2000/09/25-19:10:28:  File: D:\downloads\Hack\proxy\as-setup.exe.GetRight = http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:10:28:  (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:10:33:  Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 0 
2000/09/25-19:13:23:  File: D:\downloads\Hack\telnet server\fd-update.zip.GetRight = http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:27:  (Re)Started download: http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:27:  Could not resume (restarting from 0): http://cny.tucows.com/files/fd-update.zip
2000/09/25-19:13:33:  (Re)Started download: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:13:35:  Resumed: http://rapidus.tucows.com/files2/CProxy.zip at: 519767 
2000/09/25-19:13:35:  (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:13:40:  Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 49638 
2000/09/25-19:30:36:  Finished downloading: http://rapidus.tucows.com/files2/CProxy.zip
2000/09/25-19:31:50:  (Re)Started download: http://rapidus.tucows.com/files2/as-setup.exe
2000/09/25-19:31:51:  Resumed: http://rapidus.tucows.com/files2/as-setup.exe at: 49638 
2000/09/25-19:44:25:  Finished downloading: http://rapidus.tucows.com/files2/as-setup.exe

bind.log

bind() listening to port 3 - 18:53:18 - 09/25/2000
bind() listening to port 13 - 18:53:18 - 09/25/2000
bind() listening to port 23 - 18:53:18 - 09/25/2000
bind() listening to port 25 - 18:53:18 - 09/25/2000
bind() listening to port 137 - 18:53:18 - 09/25/2000
bind() listening to port 139 - 18:53:18 - 09/25/2000
bind() listening to port 139 - 18:53:18 - 09/25/2000

restart.log

server restart- - 10:34:15 - 09/25/2000

shutdown.log

shutdown - - 10:29:40 - 09/25/2000

startup.log

Starting Server: darkside  - 18:53:17 - 09/25/2000
Starting Server: darkside  - 18:53:17 - 09/25/2000

ComLog Session

10.0.0.2 darkside Mon Mar  3 15:33:59 2003
10.0.0.2 darkside Microsoft(R) Windows NT(TM)
10.0.0.2 darkside (C) Copyright 1985-1996 Microsoft Corp.
10.0.0.2 darkside Mon Mar  3 15:33:59 2003
10.0.0.2 darkside D:/>
10.0.0.2 darkside dir
10.0.0.2 darkside Mon Mar  3 15:34:02 2003
10.0.0.2 darkside Volume in drive D is Dark Side
10.0.0.2 darkside Volume Serial Number is 0480-D01C
10.0.0.2 darkside Directory of D:/
10.0.0.2 darkside 02/26/03  01:29a        <DIR>          Dev
10.0.0.2 darkside 08/04/02  03:39a                   886 dirlog.txt
10.0.0.2 darkside 02/04/03  03:43p        <DIR>          downloads
10.0.0.2 darkside 08/06/02  02:23a                   266 history.txt
10.0.0.2 darkside 01/26/03  05:33p        <DIR>          Log
10.0.0.2 darkside 03/03/03  11:09a                19,415 md5.exe
10.0.0.2 darkside 01/02/01  02:57p        <DIR>          movies
10.0.0.2 darkside 07/24/01  11:59a        <DIR>          Musique
10.0.0.2 darkside 08/06/02  07:44a        <DIR>          NONE
10.0.0.2 darkside 09/16/02  09:08a        <DIR>          Pack
10.0.0.2 darkside 03/03/03  01:29p            67,108,864 pagefile.sys
10.0.0.2 darkside 02/13/03  11:00p        <DIR>          Program Files
10.0.0.2 darkside 03/03/03  03:33p        <DIR>          TEMP
10.0.0.2 darkside 04/30/02  01:33p        <DIR>          Test
10.0.0.2 darkside 08/08/02  02:06p                     0 tutor
10.0.0.2 darkside 10/15/00  03:06p        <DIR>          VIRUSES
10.0.0.2 darkside 03/02/03  04:25p        <DIR>          WINNT
10.0.0.2 darkside 05/24/02  05:22p                    92 WINNTdun.bat
10.0.0.2 darkside 03/03/03  03:16p        <DIR>          work
10.0.0.2 darkside 19 File(s)     67,129,523 bytes
10.0.0.2 darkside 395,953,152 bytes free
10.0.0.2 darkside Mon Mar  3 15:34:03 2003
10.0.0.2 darkside D:/>
10.0.0.2 darkside cd test
10.0.0.2 darkside Mon Mar  3 15:34:13 2003
10.0.0.2 darkside Mon Mar  3 15:34:13 2003
10.0.0.2 darkside D:/Test>
10.0.0.2 darkside dir
10.0.0.2 darkside Mon Mar  3 15:34:14 2003
10.0.0.2 darkside Volume in drive D is Dark Side
10.0.0.2 darkside Volume Serial Number is 0480-D01C
10.0.0.2 darkside Directory of D:/Test
10.0.0.2 darkside 04/30/02  01:33p        <DIR>          .
10.0.0.2 darkside 04/30/02  01:33p        <DIR>          ..
10.0.0.2 darkside 04/30/02  01:37p                 2,784 adam.log
10.0.0.2 darkside 04/30/02  01:36p                 3,404 test.bat
10.0.0.2 darkside 04/30/02  01:39p                 5,695 test.txt
10.0.0.2 darkside 5 File(s)         11,883 bytes
10.0.0.2 darkside 395,951,616 bytes free
10.0.0.2 darkside Mon Mar  3 15:34:15 2003
10.0.0.2 darkside D:/Test>
10.0.0.2 darkside cd ..
10.0.0.2 darkside Mon Mar  3 15:34:30 2003
10.0.0.2 darkside Mon Mar  3 15:34:30 2003
10.0.0.2 darkside D:/>
10.0.0.2 darkside cd log
10.0.0.2 darkside Mon Mar  3 15:34:38 2003
10.0.0.2 darkside Mon Mar  3 15:34:39 2003
10.0.0.2 darkside D:/Log>
10.0.0.2 darkside dir
10.0.0.2 darkside Mon Mar  3 15:34:40 2003
10.0.0.2 darkside Volume in drive D is Dark Side
10.0.0.2 darkside Volume Serial Number is 0480-D01C
10.0.0.2 darkside Directory of D:/Log
10.0.0.2 darkside 01/26/03  05:33p        <DIR>          .
10.0.0.2 darkside 01/26/03  05:33p        <DIR>          ..
10.0.0.2 darkside 02/04/03  01:56p                15,369 AppEvent.log
10.0.0.2 darkside 01/22/03  11:43p                17,586 IAMDB.RDB
10.0.0.2 darkside 11/28/02  02:06a               718,541 log10.exe
10.0.0.2 darkside 11/28/02  02:06a                 2,724 log10.pl
10.0.0.2 darkside 01/26/03  05:33p                 4,372 log30pro.exe
10.0.0.2 darkside 09/11/02  10:54a                27,905 old logs.rar
10.0.0.2 darkside 02/04/03  01:54p               398,187 SecEvent.log
10.0.0.2 darkside 02/04/03  01:56p                32,766 SysEvent.log
10.0.0.2 darkside 11/28/02  01:59a                   751 ZALog.txt
10.0.0.2 darkside 12 File(s)      1,218,371 bytes
10.0.0.2 darkside 395,950,592 bytes free
10.0.0.2 darkside Mon Mar  3 15:34:40 2003
10.0.0.2 darkside D:/Log>
10.0.0.2 darkside type zalog.txt
10.0.0.2 darkside Mon Mar  3 15:34:52 2003
10.0.0.2 darkside 10.0.0.2 darkside Adam PE,2002/11/23,01:39:14 -5:00 GMT,Task Scheduler Engine,0.0.0.0:0,N/A
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:50:32 -5:00 GMT,24.200.65.250:137,10.0.0.2:137,UDP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:50:38 -5:00 GMT,10.0.0.1:137,10.0.0.2:137,UDP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:52:00 -5:00 GMT,24.200.65.250:3269,10.0.0.2:139,TCP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:55:20 -5:00 GMT,24.200.65.250:3275,10.0.0.2:139,TCP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:56:02 -5:00 GMT,24.200.65.250:3278,10.0.0.2:139,TCP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:57:38 -5:00 GMT,24.200.65.250:3284,10.0.0.2:139,TCP
10.0.0.2 darkside 10.0.0.2 darkside Adam FWIN,2002/11/28,01:59:00 -5:00 GMT,24.200.65.250:3292,10.0.0.2:139,TCP
10.0.0.2 darkside Mon Mar  3 15:34:52 2003
10.0.0.2 darkside D:/Log>
10.0.0.2 darkside exit
