RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool

• Previous message: Thierry Zoller: "Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe"
• In reply to: Castigliola, Angelo: "RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"
• Next in thread: MadHat: "Re: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Castigliola, Angelo'" <ACastigliola@unumprovident.com>, <full-disclosure@lists.grok.org.uk>
Date: Thu, 17 Nov 2005 17:55:40 -0300

Mmm... AFAIK MOM is more than that (also costs MUCH MORE than that :) )...

Here you'll find more info:
http://www.microsoft.com/mom/evaluation/overview/default.mspx
And FAQ http://www.microsoft.com/mom/evaluation/faqs/default.mspx

Feature Description
Operator Console
 The Operator Console provides you with a view into the health of your
systems, indicates problems, and recommends resolutions. You can even add
company-specific troubleshooting information. Its multi-paned view allows
you to easily see the information necessary to resolve a problem without
having to open various windows or dialog boxes.

Reporting Console1
 The Reporting Console allows you to view event, alert, and performance
reports from a Web browser. It lets you subscribe to favorite reports and
automatically receive new versions as they change.
 
Tasks and Diagnostics
 MOM 2005 allows you to define, export, import, and launch context-sensitive
tasks and diagnostics. The tasks can run on the console, the server, or at
the agent. These tasks include pinging a machine, flushing a DNS cache, or
removing lingering objects from Active Directory.
 
Auto-Alert Resolution
 Auto Alert Resolution enables the agent to automatically update the MOM
database when an alert has been corrected without operator intervention.
 
Instance-Aware Monitoring
 MOM 2005 recognizes and monitors specific instances within a system. For
example, it identifies specific databases within SQL Server, not just SQL
Server, in general. This allows monitoring to be more detailed.
 
Responses Before Alert Suppression
 Responses to an alert can be executed by the agent prior to the alert being
suppressed.
 
Deployment
Agentless Monitoring
 MOM 2005 monitors agentless servers. This is aimed at IT environments where
agents could not be installed on a few exception nodes. Agentless monitoring
is limited to status monitoring only.
 
Reporting
Richer Reporting3
 By utilizing SQL Server 2000 Reporting Services, MOM 2005 can provide
highly customized reports. Reports can be easily exported to Microsoft
Excel, Adobe Acrobat, HTML, TIFF, CSV, or XML file formats.
 
Report Customization4
 Reports can be created and tailored through Visual Studio .NET.
 
Non-Microsoft Interoperability
MOM Connector Framework5
 MOM Connector Framework is a Web service that enables bi-directional
communication between multiple MOM instances and non-Microsoft management
systems to share data and resolve problems more easily across an enterprise.

-----Mensaje original-----
De: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] En nombre de Castigliola,
Angelo
Enviado el: Jueves, 17 de Noviembre de 2005 04:26 p.m.
Para: full-disclosure@lists.grok.org.uk
CC: Fielder, Kevin (GE Consumer Finance); full-disclosure@lists.grok.org.uk
Asunto: RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool

As MadHat already suggested: for free tools I found that Snare
(http://www.intersectalliance.com/projects/index.html) was the best
however it lacks good notification features such as email or desktop
alerts that inform you there is a problem . You basically need to
monitor Snare's output.

EventSentry light (http://www.eventsentry.com/downloads_eslight.php) is
another free tool that will allow you to monitor one server's event logs
and will send you a scheduled daily email that summarizes events that
occurred that you specify in the filter. Not real good if you are
looking for real time notification.

Like everyone else has suggested it seems like the best/more common
approach to do this low-cost is to deploy a syslog server with open
source tools such as http://sourceforge.net/projects/logcheck/ to
monitor and send emails when a specific event is logged.

As for MS MOM I believe this tool is more for monitoring the
availability of network resources and let you know when something is
down, like big brother. I just got my copy of MOM and plan on deploying
it on my home LAN soon.
 
Please let me know if you do find a free tool that will monitor window's
event log and send out email notifications when a specific event occurs.

Angelo Castigliola III
Enterprise Security Architecture
UnumProvident

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Michael
Holstein
Sent: Thursday, November 17, 2005 11:50 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool

> I'm looking for recommendation on what are the better log analysis
> softwares around that're capable of generating good logs for;
>
> * IIS 6.0
> * NetApp NetCache 5.x
> * Microsoft ISA RRAS
>
> Are there also Log Agents available for System so that all the logs
are
> contributed to a Centralized Log Server?

My favorite way to do this is just send it via syslog to a UNIX box,
then use grep/perl/whatever to post-process it. If you use syslog-ng you

can put the events into MySQL which opens some additional possibilities.

Best way to get windows logs (event logs, text based files, etc) is
EventReporter (www.adiscon.de). It's cheap .. $30/license I think.

Regards,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Thierry Zoller: "Re[2]: [Full-disclosure] another filename bypass vulnerability - fromcmd.exe"
• In reply to: Castigliola, Angelo: "RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"
• Next in thread: MadHat: "Re: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]