|
In follow up to yesterday's discussion re invoking OS commands with R's system function, I wanted to show you just a bit of how straightforward it is to then use the resulting data. After grabbing the Windows security event log with a call to Log Parser and writing it out to CSV, you have numerous options driven by what's interesting to you. Perhaps you're interested in counts per Event ID to say what your Top 10 events are. The issue is, that Log Parser just grabbed all of the security event log, which results in large, unwieldy CSV that includes large message data entries. No big deal, reduce the raw CSV to only data you need. As an example: secevt <- read.columns("security.csv",c("EventID","TimeWritten","EventTypeName","Message"), sep=",") This writes the EventID, TimeWritten, EventTypeName, Message columns into a new data frame, the contents of which are stored in secevt,the other 11 columns are no longer cluttering to the in-memory data set. Want to count Event IDs? ct <- count(secevt$EventID) Result snippet: x freq Want to sort that count decreasing by frequency? srt <- ct[order(ct$freq, decreasing = TRUE), ] Now to return the Top 10 specifically: top10 <- head(srt,10) Result snippet: x freq Bam, fast and flexible. My security event log has 81,437 Event ID 4703 (A user right was adjusted) entries, these parsed quickly from 118,154 total entries (147MB local file). How about visualizations of that same data? Yep, it all starts with something as simple as barplot(top10$freq,top10$x).
Hopefully you're intrigued regarding options and available capabilities here. Feel free to comment or email me if you'd like further information or resources with which to start exploring R. Cheers.
|
Russ McRee 204 Posts ISC Handler Jul 31st 2015 |
| Thread locked Subscribe |
Jul 31st 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
