Security Log Analysis for Windows NT/2000/XP/2003

Windows NT-derived systems are able to record many kinds of information on user authentication. The logs generated are very detailed but difficult to analyze with the tools provided, which cannot summarize or report on the information that the log contains (other than a primitive filtering function). I wrote a Perl script, called logger.pl, that can read the security log from one or more Windows machines and summarize the information it contains to produce a report of what it finds, detailing the types of authentications that occurred, which usernames and client machines were involved, and the result. The output can be e-mailed to a given user (with PGP encryption available if PGP is installed on the host system), written to a file, or simply displayed on the screen. This script is very useful for many purposes, ranging from finding what systems a particular user has "touched" to summarizing authentication activity over a large number of systems. A recently added function generates a CSV file when multiple systems are scanned that can be imported and analyzed to produce, for example, a 3D graph of authentication activity on a user-to-machine basis. Logger has been enhanced repeatedly since its creation and now has many optional features that can deliver varying levels of detail in the output. Since others have found it useful, it is distributed freely to educational institutions of all kinds. The logger Web page contains full information on its features and use.