Security Basics mailing list archives
RE: Event log monitoring
From: Ryan Murphy <RMurphy () irvinecompany com>
Date: Fri, 15 Oct 2004 11:53:38 -0700
I am in a similar situation as the original poster in that I am looking for consolidated server event logging for our Windows server farms. The options provided on this list so far provide a good base for windows syslog servers/clients. The real question I need answered is, which of these products provide correlation/analyzation/reporting on the log data collected? That is the real value in having a centralized logging system. Which of these products will let me answer questions like: How many failed logins occured between a certain time period? Which logins and on which servers? What are repeated application failures, and are they correlated in some way to the security or system logs? Creation of new administrator accounts correlated with a series of failed login attempts followed by a single successful attempt. Basically, which log server analyzer will provide reports for suspicious activity, or other activity possibly indicative of someone trying to fiddle with things they shouldn't be? Does this kind of thing exist, or are we still at the point where the vigilant sys admin has to pour through these logs himself, or with a series of scripts in hand? Thanks, Ryan -----Original Message----- From: Kurt [mailto:kurtbuff () spro net] Sent: Wednesday, October 13, 2004 3:42 PM To: 'Stephane Auger'; security-basics () securityfocus com Subject: RE: Event log monitoring http://ntsyslog.sourceforge.net or http://intersectalliance.com/snare - will send your eventlogs to a syslog server in realtime http://kiwisyslog.com - a very good syslog server for Windows, and if you pay for it (it's very inexpensive for the impressive quality), it'll even log to an ODBC DSN http://mysql.com - A free SQL database server, with an ODBC interface, both Windows and *nix. Pretty much all you need. | -----Original Message----- | From: Stephane Auger [mailto:stephaneauger () pre2post com] | Sent: Tuesday, October 12, 2004 13:26 | To: security-basics () securityfocus com | Subject: Event log monitoring | | | Hey everyone, | | I'm looking for a practical way to monitor event logs on multiple | servers. There are multiple subnets at multiple sites, and I have one | main LAN to monitor everything. Is there some kind of software/batch | file that could be installed on the servers so that the events be sent | on my monitoring lan (a little bit like SNMP sending to a listening | server)? Thanks!! | | Stephane Auger, MCP ============================= Notice to recipient: This e-mail is meant for only the intended recipient of the transmission, and may be a confidential communication or a communication privileged by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. Please notify us immediately of the error by return e-mail and please delete this message from your system. Thank you in advance for your cooperation.
Current thread:
- Event log monitoring Stephane Auger (Oct 13)
- Re: Event log monitoring Josh Mills (Oct 13)
- RE: Event log monitoring David Nardoni (Oct 14)
- RE: Event log monitoring Kurt (Oct 14)
- RE: Event log monitoring s b (Oct 18)
- <Possible follow-ups>
- RE: Event log monitoring Osvaldo Casagrande (Oct 14)
- RE: Event log monitoring Kurt (Oct 15)
- RE: Event log monitoring Ryan Murphy (Oct 15)
- RE: Event log monitoring Kurt (Oct 18)
- RE: Event log monitoring Julen C (Oct 18)
- RE: Event log monitoring Tran, Nhon (Oct 19)
- Re: Event log monitoring nanoLox (Oct 19)
- RE: Event log monitoring Bhavani Suresh (Oct 20)