Sentinel Chicken Networks  

GrokEVT Project Goals

This project is driven by three goals, in order: correctness, simplicity of use, and speed.

When I started this project, I could find no other projects or products that could fully parse event logs and generate coherent output from Linux. I decided to write one, so I would be able to obtain information from event logs during forensic investigations from Linux, without having to restore the image, or copy the event logs to another windoze box (which doesn't always work, btw).

The most important goal of the project is to produce correct output, which matches what is really there. This is essential for investigations, obviously. It must also be simple to use, both at the command line, and by forensic suites in scripts. Speed is also desirable, as event logs can become very large if they aren't rotated.

The more immediate goals for the next release are:

  • Introduce test suite to test deliberately corrupt/random logs.
  • Move more functionality into a library and design a more coherent API.
  • Log warnings generated by builddb to the database for future reference.
  • Add utility to convert output to more readable CSV

And some goals for future releases:

  • Add SID->user name conversion.
  • Test Unicode support on different guest/host language environments.
  • Possibly add support for Vista®'s XML log files.

printer friendly
Also available in IPv6.