Description
Programmer Pre-requisites- Microsoft Technologies such as ActiveDirectory and Eventlogs
Scope
- A Library to read Microsoft EventLogs using a login to get one or more eventlogs either locally or remotely
- Each use of the library to generate a single audit event no matter if one or many eventlogs are returned
- Must produce CSV and JSON output
- Compatible within a Windows and Linux based Application
- Required to handle 5000 eventlog records per second
Requirements
- Input Parameters
= A username and password to authenticate locally or remotely to a windows machine
= Filter for one or more event ID (ideally passed in as a list [e.g. array])
= The start RecordNumber (passing nothing means first record in log)
= The end RecordNumber (passing nothing means most recent record in log)
= The source of the EventLog (e.g. APPLICATION, SYSTEM, SECURITY, etc.)
= Output format (CSV or JSON)
= The path to CSV/JSON file name if none use stdout : write to pipe (|) delimited file, one record per line. or JSON output
= Debug flag. Write all steps and messages to a the file specified by this parameter (For example: debug => '/tmp/debug.txt')
- Output
= success / failure indication
= CSV or JSON output
= any error message(s) generated
= last (i.e. most recent) recordID read
= Description of each record in JSON or CSV file. Items with no comment means to return as is:
+ TimeGenerated
- must be converted to unixtime epoch
+ RecordNumber
+ User
- Need a lookup to convert to the name similar to the perl Win32::LookupAccountSID function. The output needed is DOMAINUSERNAME format
+ Computer
- Name is returned but want IP address
+ EventID
+ EventLog
- result as a integer so it can be enumerated
+ Length
+ TimeWritten
- Needs to be converted to a unixtime epoch
+ Message
+ EventType
+ Strings
+ Source
- result as a integer so it can be enumerated
+ Category
+ Data