RE: Event log monitoring

From: Kurt (kurtbuff_at_spro.net)
Date: 10/16/04

  • Next message: Kirk Schafer: "Re: Group policy help"
    To: <security-basics@securityfocus.com>
    Date: Fri, 15 Oct 2004 16:26:58 -0700
    
    

    The solution(s) I proposed are pretty much roll-your-own setups.

    The benefit is that they are incredibly cheap. Another benefit (if you
    squint just right) is that you'll learn an incredible amount in putting
    it all together, which does indeed mean setting up your own reports,
    etc.

    If you want something that works right out of the box, you might want to
    go fishing at http://loganalysis.org.

    Actually, I'd suggest you go there anyway, as it is quite a good
    resource for lots of this kind of stuff.

    Kurt

    | -----Original Message-----
    | From: Ryan Murphy [mailto:RMurphy@irvinecompany.com]
    | Sent: Friday, October 15, 2004 11:54
    | To: security-basics@securityfocus.com
    | Subject: RE: Event log monitoring
    |
    |
    | I am in a similar situation as the original poster in that I
    | am looking for
    | consolidated server event logging for our Windows server
    | farms. The options
    | provided on this list so far provide a good base for windows syslog
    | servers/clients. The real question I need answered is, which of these
    | products provide correlation/analyzation/reporting on the log data
    | collected? That is the real value in having a centralized
    | logging system.
    | Which of these products will let me answer questions like:
    |
    | How many failed logins occured between a certain time period?
    | Which logins
    | and on which servers?
    | What are repeated application failures, and are they
    | correlated in some way
    | to the security or system logs?
    | Creation of new administrator accounts correlated with a
    | series of failed
    | login attempts followed by a single successful attempt.
    |
    | Basically, which log server analyzer will provide reports for
    | suspicious
    | activity, or other activity possibly indicative of someone
    | trying to fiddle
    | with things they shouldn't be? Does this kind of thing exist,
    | or are we
    | still at the point where the vigilant sys admin has to pour
    | through these
    | logs himself, or with a series of scripts in hand?
    |
    | Thanks,
    |
    | Ryan
    |
    |
    |
    | -----Original Message-----
    | From: Kurt [mailto:kurtbuff@spro.net]
    | Sent: Wednesday, October 13, 2004 3:42 PM
    | To: 'Stephane Auger'; security-basics@securityfocus.com
    | Subject: RE: Event log monitoring
    |
    |
    | http://ntsyslog.sourceforge.net or
    | http://intersectalliance.com/snare -
    | will send your eventlogs to a syslog server in realtime
    |
    | http://kiwisyslog.com - a very good syslog server for Windows, and if
    | you pay for it (it's very inexpensive for the impressive
    | quality), it'll
    | even log to an ODBC DSN
    |
    | http://mysql.com - A free SQL database server, with an ODBC interface,
    | both Windows and *nix.
    |
    | Pretty much all you need.
    |
    | | -----Original Message-----
    | | From: Stephane Auger [mailto:stephaneauger@pre2post.com]
    | | Sent: Tuesday, October 12, 2004 13:26
    | | To: security-basics@securityfocus.com
    | | Subject: Event log monitoring
    | |
    | |
    | | Hey everyone,
    | |
    | | I'm looking for a practical way to monitor event logs on multiple
    | | servers. There are multiple subnets at multiple sites, and
    | I have one
    | | main LAN to monitor everything. Is there some kind of
    | software/batch
    | | file that could be installed on the servers so that the
    | events be sent
    | | on my monitoring lan (a little bit like SNMP sending to a listening
    | | server)? Thanks!!
    | |
    | | Stephane Auger, MCP
    |
    |
    |
    | =============================
    | Notice to recipient: This e-mail is meant for only the
    | intended recipient
    | of the transmission, and may be a confidential communication or a
    | communication privileged by law. If you received this e-mail
    | in error, any
    | review, use, dissemination, distribution, or copying of this e-mail is
    | strictly prohibited. Please notify us immediately of the
    | error by return
    | e-mail and please delete this message from your system. Thank you in
    | advance for your cooperation.


  • Next message: Kirk Schafer: "Re: Group policy help"

    Relevant Pages

    • RE: Event log monitoring
      ... If you're looking at correlation and other fancy features check out SEM/SIM ... security event/information management software. ... Subject: Event log monitoring ... | looking for consolidated server event logging for our Windows server ...
      (Security-Basics)
    • RE: Event log monitoring
      ... consolidated server event logging for our Windows server farms. ... Subject: Event log monitoring ...
      (Security-Basics)
    • Re: Systen log filling up with this error every minute?
      ... www.eventid.net - Information for over 9000 Windows event IDs ... www.altairtech.ca/evlog - Free event log monitoring ... Server was unable to allocate a work item 2 times in the last ...
      (microsoft.public.win2000.general)
    • RE: Event log monitoring
      ... consolidated server event logging for our Windows server farms. ... Subject: Event log monitoring ...
      (Security-Basics)
    • Re: Question about WMI connection and concurrent use
      ... Each one should act as an independent client to the proxy. ... It should run multiple threads - one ... WMI is multi-threaded and has an asynchronous ... >> My only server, which is allowed to make snmp queries [which I call the ...
      (microsoft.public.win32.programmer.wmi)