Perfmon .blg file specification / parsing library

Where can I find a detailed, low-level spec for the Perfmon binary开发者_开发百科 .blg file format? Or even better, has anyone written a low level, open source library (preferably in C, but any language would do) for parsing .blg files?

There's a tool called relog that can convert these files to csv or other formats.

http://blog.bennett-scharf.com/2008/12/17/converting-an-existing-perfmon-blg-file-to-csv/

Link

Link

This won't help for looking at historical data, but if you have access to the systems running Perfmon, you may want to look at Logman. With Logman you can set performance counters AND specify the output format, that way you can just chose a format that is easy to parse. See the -f option:

-f { bin | bincirc | csv | tsv | SQL } : Specifies the file format used for collecting performance counter and trace data. You can use binary, circular binary, comma and tab separated, or SQL database formats when collecting performance counters.

As others have said if you also have historical records you need to parse you can use the Relog utility to convert existing .blg files in to a more useful format.

Another option is to export the perfmon Data Collection Set as a template, and change the log file format in the XML - look for the LogFileFormat tag and change the value to the format of your preference

0 = CSV, 1 = TSV, 2 = SQL, 3 = the default binary format.

I was looking for a way to incorporate PerfMon data into a SIEM, and found that getting perfmon to log to a SQL DB (and reading the data from a SQL view, from the SIEM agent) was the best way of doing this.

I can't say much about other products, but in LogRhythm SIEM, you need a "UDLA" (universal database log adapter) log source for it - and if you want to parse/contextualise the metadata, you'll need some parsing rules (ie regex) for what the query returns.

It's useful to see things like "if there's x number of logon errors, AND Avail MBytes is less than 100, THEN trigger alarm/AIEngine rule 'Insufficient Memory to Process Logons'".

That's a pretty lame example, but you get the idea.

You might also look at other things which have a potentially malicious explanation, and also a benign explanation.
For example - if you see a large amount of failed attempts to reset passwords, this might usually indicate some malicious behaviour - but not if you see the perfmon counters telling you that the Domain Controller has a total of less than 1,000 free system PTEs (admittedly unlikely on a 64-bit OS), or is seeing CPU usage of more than 95%. In which case, it's not necessarily a security issue, it's a load/capacity issue - or something is very wrong with your DC.