I had a big Microsoft Event Viewer log file and I wanted specific information from the log file. At first I was thinking about using Microsoft Excel to do some filtering, but that didn’t really help. At the end Linux did the trick. I used Cygwin under Windows to extract the specific information. The raw log file had the following format:
2/22/2010:1:14:46 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:1:09:15 PM:IAS:Information:None:1:N/A:BOOCHES01:User rene was granted access.
2/22/2010:12:19:58 PM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:12:03:24 PM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:54 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser was granted access.
2/22/2010:11:58:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User booches was granted access.
2/22/2010:11:58:07 AM:IAS:Information:None:1:N/A:BOOCHES01:User BOOCHES\test was granted access.
2/22/2010:11:17:13 AM:IAS:Information:None:1:N/A:BOOCHES01:User testuser1 was granted access.
I needed to extract only the unique users. Playing a little with Linux gave me the following output.
User test was granted access.
User booches was granted access.
User rene was granted access.
User testuser was granted access.
User testuser1 was granted access.
It isn’t perfect, but it is good enough for me. The original log file is called log.txt and the output is written to a file called users.txt. I used the following command to accomplish the output above.
cat log.txt | cut –d: –f11 | sed ‘s/BOOCHES\\//g’ | sort | uniq >> users.txt
Cat prints the file log.txt to the screen. The –d parameter with cut determines the delimiter and –f selects the column to print. With sed I search for the string “BOOCHES\” and replace the sting with nothing (//). Everything is sorted with sort and all duplicate entries are removed with uniq. The output is written to the file users.txt.
Simple and effective!!!
Security is getting more and more important for people. I notice that especially IT manager would like to implement some kind of security measurements to improve the safety of their network and data. Lately I have been busy with configuring a Juniper SA solution. The customer wants to publish different kind of services through the Juniper SA to his employees or suppliers. Example of these services are file sharing and full IPSec tunnels. When using file sharing and full IPSec tunnels, the use of a virus scanner is arbitrary for all workstations connecting to the customers network through the Juniper. Juniper provides an option to configure a Host Checker to check if the client has a (specific) virus scanner. This kind of predefined check only works with Windows clients.
I wanted to configure a predefined Host Checker for all the Windows clients connecting to the Juniper SA box. The configured policy checks all Windows clients on a, by Juniper supported, virus scanner. This works perfectly, but I noticed at all Linux and Mac OS X users weren’t able to connect anymore. When configuring a Host Checker policy for Windows, you also have to configure a policy for other OS-users, like Linux and Mac OS X.
I didn’t know which policy to configure for these users, because the outcome of the policy check should be positive at all times. I have the option to check the presence of a specific file. This gave me the idea to configure a dummy file check for Linux and Mac OS X clients. The dummy file check has the following properties:
The policy checks the presence of the file mac_dummy_file. To pass the host checker test, the file should NOT be present of the client. I configured a similar rule for Linux clients. By configuring the policy like this, all Windows clients are checked on the presence of a virus scanner and the Linux and Mac OS X hosts are checked on the dummy file. Normally, the dummy file doesn’t exist on the specific Linux / Mac OS X clients, so they are always allowed access to the Juniper.
I guess it’s a nice workaround….