Method for transforming and consolidating fields in log records from logs generated on different operating systems

US 8,086,650 B1
Filed: 11/02/2007
Issued: 12/27/2011
Est. Priority Date: 06/15/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of translating an event record of an event log into a reconstituted event record, the method comprising acts of:

rendering data contained in the event record into at least one data set;

transforming, on a computer having at least one transformation engine, the at least one data set into at least one transformed data set using the at least one transformation engine including;

a security level transformation engine,a user account transformation engine,a keyword/opcode transformation engine,a category/description transformation engine, andan event identifier transformation engine; and

generating the reconstituted event record from the at least one transformed data set, the reconstituted event record comprising the data contained in the event record in a format that is common to a pre-MICROSOFT WINDOWS®

VISTA operating system event log and a MICROSOFT WINDOWS®

VISTA operating system event log, such that the reconstituted event record can be managed on a computer executing any version of the MICROSOFT WINDOWS®

operating system prior to and including the MICROSOFT WINDOWS®

VISTA operating system;

wherein the category/description transformation engine is operable to query, based on information in the at least one data set, a system registry to locate a message file containing a category message corresponding to a task number associated with the event record; and

wherein the category/description transformation engine is further operable to locate the message file by sequentially applying a series of offset numbers to an event identifier in the event record.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An event log translator for reading and translating, when necessary, the event log records from two distinct event log file formats (e.g. EVT and EVTX formats). Moreover, it is a system for consolidating the log records contained in either of the above formats into a common set of fields, which can be displayed to the user of a computer, exported into different formats (e.g. text files, database tables, etc) or consumed by an event log management system.

46 Citations

View as Search Results

10 Claims

1. A computer-implemented method of translating an event record of an event log into a reconstituted event record, the method comprising acts of:
- rendering data contained in the event record into at least one data set;
  
  transforming, on a computer having at least one transformation engine, the at least one data set into at least one transformed data set using the at least one transformation engine including;
  
  a security level transformation engine,a user account transformation engine,a keyword/opcode transformation engine,a category/description transformation engine, andan event identifier transformation engine; and
  
  generating the reconstituted event record from the at least one transformed data set, the reconstituted event record comprising the data contained in the event record in a format that is common to a pre-MICROSOFT WINDOWS®
  
  VISTA operating system event log and a MICROSOFT WINDOWS®
  
  VISTA operating system event log, such that the reconstituted event record can be managed on a computer executing any version of the MICROSOFT WINDOWS®
  
  operating system prior to and including the MICROSOFT WINDOWS®
  
  VISTA operating system;
  
  wherein the category/description transformation engine is operable to query, based on information in the at least one data set, a system registry to locate a message file containing a category message corresponding to a task number associated with the event record; and
  
  wherein the category/description transformation engine is further operable to locate the message file by sequentially applying a series of offset numbers to an event identifier in the event record.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the reconstituted event record comprises a security level/event type field, an event identifier field, a task/category field, a user account field, and a description field.
  - 3. The method of claim 1, wherein the at least one transformation engine used in the transforming act is selected by a user.
  - 4. The method of claim 1, wherein the at least one transformation engine used in the transforming act is selected based on a file type of the event log, the file type comprising one of an EVT file and an EVTX file.
  - 5. The method of claim 1, wherein the security level transformation engine is operable to determine, in the at least one data set, whether the event record includes a security audit event, and responsive to determining that the event record includes the security audit event generating a string containing a security audit event type including one of “
    - Failure Audit” and
      
      “
      
      Success Audit.”
  - 6. The method of claim 1, wherein the user account transformation engine is operable to identify, in the at least one data set, a user parameter corresponding with the event record, and to determine whether the user parameter is to be placed into the at least one transformed data set by comparing an event identifier associated with the event record to data in an event identification database.
  - 7. The method of claim 1, wherein the keyword/opcode transformation engine is operable to determine, in the at least one data set, whether at least one of a keyword field, an opcode field, and a task data field are in a particular data format, and responsive to determining that the at least one of the keyword field, the opcode field, and the task data field are not in the particular data format, converting the at least one of the keyword field, the opcode field, and the task data field into the particular data format.
  - 8. The method of claim 1, wherein the category/description transformation engine is further operable to convert a description parameter in the at least one data set into a string.
  - 9. The method of claim 1, wherein the event identifier transformation engine is operable to transform an event identifier in the at least one data set into a transformed event identifier based on information contained in an event identifier cross-reference database.
  - 10. The method of claim 1, further comprising returning the reconstituted event record to an event log manager executing on the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Progress Software Corporation
Original Assignee
Ipswitch Incorporated (Progress Software Corporation)
Inventors
Milford, Robert A.
Primary Examiner(s)
Perveen, Rehana
Assistant Examiner(s)
Hershley, Mark

Application Number

US11/982,586
Time in Patent Office

1,516 Days
Field of Search

707/102, 707/803, 707/804, 707/809, 707/810
US Class Current

707/804
CPC Class Codes

G06F 16/116 Details of conversion of fi...

H04L 43/04 Processing captured monitor...

Method for transforming and consolidating fields in log records from logs generated on different operating systems

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method for transforming and consolidating fields in log records from logs generated on different operating systems

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links