RE: Windows Event Logs
From: Levinson, Karl (LevinsonK_at_STARS-SMI.com)
Date: 06/20/03
- Previous message: Hardee, Chris: "RE: Filtering DHCP Assignments by MAC Address"
- Maybe in reply to: Floyd Russell: "Windows Event Logs"
- Next in thread: Floyd Russell: "RE: Windows Event Logs"
- Reply: Floyd Russell: "RE: Windows Event Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Floyd Russell' <floyd@neospire.net>, focus-ms@securityfocus.com Date: Fri, 20 Jun 2003 11:52:16 -0400
Not exactly. Native IP logging in Windows was not introduced until Windows
2003 Server and to some extent XP [via the included ICF firewall]. As far
as I know, you would need to either upgrade your version of Windows or add
some third party hardware or software tool that logs IP address. A hardware
or software firewall or IDS such as www.sygate.com or www.snort.org could be
one way to do this [you could even configure the firewall to just log and
not block any traffic, if you prefer].
You would still have to manually correlate the IP logs with the Windows
security logs. This would require that the time always be synched in both
logs, and if there is a lot of similar network traffic being reported
simultaneously, you could have problems logging everything you need or
correctly correlating log entries.
One thing that might make log correlation easier could be to combine the IP
logs and the Windows security logs into one log file. One way to do this
would be to send all your events to a syslog client like www.kiwisyslog.com
or others. To send windows event logs to syslog, there is a program called
NTSYSLOG, search www.google.com to find it. I believe it's free.
www.kiwisyslog.com is another inexpensive possibility for doing this.
Another solution is at http://www.winsyslog.com/en/ You'd want the
Professional version which is not free.
If you log to a remote system, this has the advantage of being able to
remotely view multiple systems and make it harder for an attacker to delete
log files from a compromised host. However, someone could potentially get
sensitive data from your log files by sniffing the wire [you might choose to
set up an encrypted tunnel of some sort to try to reduce this risk]. I
suppose this could also generate a lot of extra network traffic depending on
how much you're logging. And theoretically someone could try to generate
extra log events to do a denial of service or disable your logging.
-----Original Message-----
From: Floyd Russell [mailto:floyd@neospire.net]
Sent: Thursday, June 19, 2003 2:28 PM
To: focus-ms@securityfocus.com
Subject: [despammed] Windows Event Logs
In my years of admining windows servers the event logs have always been
frustratingly incomplete. This is especially true with the Security logs.
For example if an attempted logon fails, it records the event, but seeminly
nothing else of importance like an IP.
Are there any tools out there that either allow admins a finer control over
what activities happen on the host or any that can pull such information
from the event logs?
-----------------------------------------------------------------------------
------------------------------------------------------------------------------
- Previous message: Hardee, Chris: "RE: Filtering DHCP Assignments by MAC Address"
- Maybe in reply to: Floyd Russell: "Windows Event Logs"
- Next in thread: Floyd Russell: "RE: Windows Event Logs"
- Reply: Floyd Russell: "RE: Windows Event Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
