Re: Windows event auditing and reporting

["List Spam" <listspam () gmail com>]

For a good general starter, check out the "Library" section of
www.loganalysis.org.  In particular, take a look at the various Event
Log to Syslog translators and subsequent Syslog reporting tools.

The reason I recommend conversions to Syslog are that it's a
well-known and well-supported format for open-source and commercial
tools of the type you're looking for.  Additionally, it's the de-facto
logging standard for just about everything outside of the MS world -
e.g. Routers, Switches, most IDS, Unix, etc.

Once you get your logs into a generally vendor-agnostic format such as
Syslog, you open up numerous options that won't be otherwise
available, all the while keeping in tact those options that exist on
your platform of choice, such as LogParser, WMIC, EventcombMT, DUMPEL,
ELOGDUMP, etc. which can still be used in conjunction with your
overall log centralization, corrolation, and reporting facilities.

My two cents.

RE

On 4/3/06, rs <rsmade () gmail com> wrote:
> Can anyone recommend a good tool that will alert and report on Windows
> Event logs, especially DC logs for events such as New user accounts,
> changed user accounts, deleted user accounts, locked user accounts,
> failed login attempts, expired passwords, dormant accounts, etc. We have
> looked at both S.E.L.M from GFI (Reporting wasn't great) and Active
> Administrator from ScriptLogic (Reporting was great but event criteria
> was not customizable and it offers a ton of nice features that we don't
> necessarily need but would be paying for.) . Just wanted to see if there
> was anything else out there that someone could recommend?
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------