RE: Windows Event Logs

From: Floyd Russell (floyd_at_neospire.net)
Date: 06/20/03

  • Next message: Hardee, Chris: "RE: Filtering DHCP Assignments by MAC Address" 
    To: <focus-ms@securityfocus.com>
Date: Fri, 20 Jun 2003 11:25:21 -0500

    Just to expound upon this I was wondering if anyone knew of any tools that
    would be able to translate what is recorded in the Security Audits to real
    life events. For example, the following entry:

    Object Open:
             Object Server: Security Account Manager
             Object Type: SAM_DOMAIN
             Object Name: *********
             New Handle ID: 663040
             Operation ID: {0,9435828}
             Process ID: 284
             Primary User Name: ********$
             Primary Domain: **********
             Primary Logon ID: (0x0,0x3E7)
             Client User Name: *********$
             Client Domain: ***********
             Client Logon ID: (0x0,0x3E7)
             Accesses GetLocalGroupMembership
                            LookupIDs

             Privileges -

    I mean honestly, wtf does that mean? So I guess my broader question is what
    tools have people found usefull in extracting meaning from Windows Security
    event logs?

    |> -----Original Message-----
    |> From: Levinson, Karl [mailto:LevinsonK@STARS-SMI.com]
    |> Sent: Friday, June 20, 2003 10:52 AM
    |> To: 'Floyd Russell'; focus-ms@securityfocus.com
    |> Subject: RE: Windows Event Logs
    |>
    |>
    |> Not exactly. Native IP logging in Windows was not introduced
    |> until Windows
    |> 2003 Server and to some extent XP [via the included ICF
    |> firewall]. As far
    |> as I know, you would need to either upgrade your version of
    |> Windows or add
    |> some third party hardware or software tool that logs IP address.
    |> A hardware
    |> or software firewall or IDS such as www.sygate.com or
    |> www.snort.org could be
    |> one way to do this [you could even configure the firewall to just log and
    |> not block any traffic, if you prefer].
    |>
    |> You would still have to manually correlate the IP logs with the Windows
    |> security logs. This would require that the time always be
    |> synched in both
    |> logs, and if there is a lot of similar network traffic being reported
    |> simultaneously, you could have problems logging everything you need or
    |> correctly correlating log entries.
    |>
    |> One thing that might make log correlation easier could be to
    |> combine the IP
    |> logs and the Windows security logs into one log file. One way to do this
    |> would be to send all your events to a syslog client like
    |> www.kiwisyslog.com
    |> or others. To send windows event logs to syslog, there is a
    |> program called
    |> NTSYSLOG, search www.google.com to find it. I believe it's free.
    |> www.kiwisyslog.com is another inexpensive possibility for doing this.
    |> Another solution is at http://www.winsyslog.com/en/ You'd want the
    |> Professional version which is not free.
    |>
    |> If you log to a remote system, this has the advantage of being able to
    |> remotely view multiple systems and make it harder for an
    |> attacker to delete
    |> log files from a compromised host. However, someone could
    |> potentially get
    |> sensitive data from your log files by sniffing the wire [you
    |> might choose to
    |> set up an encrypted tunnel of some sort to try to reduce this risk]. I
    |> suppose this could also generate a lot of extra network traffic
    |> depending on
    |> how much you're logging. And theoretically someone could try to generate
    |> extra log events to do a denial of service or disable your logging.
    |>
    |>
    |>
    |> -----Original Message-----
    |> From: Floyd Russell [mailto:floyd@neospire.net]
    |> Sent: Thursday, June 19, 2003 2:28 PM
    |> To: focus-ms@securityfocus.com
    |> Subject: [despammed] Windows Event Logs
    |>
    |>
    |> In my years of admining windows servers the event logs have always been
    |> frustratingly incomplete. This is especially true with the Security logs.
    |> For example if an attempted logon fails, it records the event,
    |> but seeminly
    |> nothing else of importance like an IP.
    |> Are there any tools out there that either allow admins a finer
    |> control over
    |> what activities happen on the host or any that can pull such information
    |> from the event logs?
    |>
    |>

    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------

  • Next message: Hardee, Chris: "RE: Filtering DHCP Assignments by MAC Address"

    Relevant Pages

    • Re: been hit by hacker, servudaemon installed
      ... >Every single one of the web servers and internet server ... >Windows, Apache, you name it. ... >commands they entered in your IIS server logs. ...
      (microsoft.public.inetserver.iis.security)
    • Re: been hit by hacker, servudaemon installed
      ... Every single one of the web servers and internet server operating systems ... Windows, Apache, you name it. ... commands they entered in your IIS server logs. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Winvnc hack! [25 KB]
      ... came in from a service such as IIS that logs IP address. ... Check your IIS ... Some firewall software such as ... You can also use the NETSTAT -A command that comes with Windows to look at ...
      (microsoft.public.win2000.security)
    • Re: Storing passwords
      ... passwords themselves are generally not stored in plaintext unless you have ... called SAM [unless the computer is joined to a Windows 2000 Active Directory ... before a firewall and antivirus have been installed]. ... not discovered until after an intrusion, when the logs ...
      (microsoft.public.win2000.security)
    • RE: Windows Event Logs
      ... Native IP logging in Windows was not introduced until Windows ... You would still have to manually correlate the IP logs with the Windows ... Subject: Windows Event Logs ...
      (Focus-Microsoft)