RE: [logs] NT Logs

From: Nathan Kim (nkim1at_private)
Date: Thu Feb 07 2002 - 14:24:30 PST

  • Next message: tilayiaat_private: "[logs] The right log analysis tool" 

    Gonzalo,

I believe you are getting those events because your auditing policy for
"Audit object access" is set to monitor both Success and Fail.

If you just monitor Failure, and not Success, you will only get the events
generated when someone or process fails to access an object.  This should
reduce the number of events generated from the DCs.

I hope this helps.

Regards,

Nathan Kim, GCIA

Security Tools Architect
IBM Global Services
Internet E-Mail Address:  NKIM1at_private




                                                                                                   
                    Gonzalo Garcia                                                                 
                    <GO_GARCIA@crm       To:     loganalysisat_private                     
                    .com.ar>             cc:                                                       
                                         Subject:     RE: [logs] NT Logs                           
                    02/07/2002                                                                     
                    03:15 PM                                                                       
                                                                                                   
                                                                                                   



Thanks for all previous posts, with your help I've successful develop my
(now not so tiny) perl script. It connects to every DC in a domain to get
its logs and send them to a central log machine running syslog (it's based
on evlogsys.pl halat_private) but with mayor changes. An integration with
big brother (www.bb4.com) is planned sending logs alarms to bb.

When I start to test the script I've found this problem: the DCs (about 50
country wide), generate logs faster than I can read, most of them are 560
562 events, according with this trend in a few time I'll be missing many
logs entries.

Does any of you know the meaning of the EventID 560 and EventID 562 ? When
are and why are they generated ?
Is there any way to stop this logs events ? Should I miss too many
information doing this ?



EventID 560: Object Open:%n\r\n%tObject Server:%t%1%n\r\n%tObject
Type:%t%2%n\r\n%tObject Name:%t%3%n\r\n%tNew Handle
ID:%t%4%n\r\n%tOperation
ID:%t{%5,%6}%n\r\n%tProcess ID:%t%7%n\r\n%tPrimary User
Name:%t%8%n\r\n%tPrimary Domain:%t%9%n\r\n%tPrimary Logon ID:%t%10%n\Object
Open:%n\r\n%tObject Server:%t%1%n\r\n%tObject Type:%t%2%n\r\n%tObject
Name:%t%3%n\r\n%tNew Handle ID:%t%4%n\r\n%tOperation
ID:%t{%5,%6}%n\r\n%tProcess ID:%t%7%n\r\n%tPrimary User
Name:%t%8%n\r\n%tPrimary Domain:%t%9%n\r\n%tPrimary Logon ID:%t%10%n\

EventID 562: Handle Closed:%n\r\n%tObject Server:%t%1%n\r\n%tHandle
ID:%t%2%n\r\n%tProcess ID:%t%3%n\r\n

Descriptions are:
EventID 560: Event generated by auditing "Object Open" activities.
EventID 562: Event generated when auditing is turned on for object access:
"Handle Closed"

The audit policies are:
------------------------

Audit account logon events ( Success, Failure )
Audit account management ( Success, Failure )
Audit directory service access ( Success, Failure )
Audit login events        ( Success, Failure )
Audit object access ( Success, Failure )
Audit policy change ( Success, Failure )
Audit privilege use ( Success, Failure )
Audit process tracking ( No auditing )
Audit system events ( Success, Failure )


If any is interested in a copy of this script just send me a mail. By now
it
only gets the logs and send them to a syslog server.

Thanks in advance,
Gonzalo.

>   -----Original Message-----
> From: Gonzalo Garcia [mailto:GO_GARCIAat_private]
> Sent: Monday, February 04, 2002 7:40 AM
> To: loganalysisat_private
> Subject: [logs] NT Logs
>
>
>
> Hi, I´m trying to do some work with NT logs and I´ve some questions,
>
> Is possible to send all  the logs to only one machine ? I've a PDC and 30
> BDC and  would be excellent to get the logs from only one server.
>
> Where can I get the EventID descriptions ?
>
> I'm writing a tiny perl script using Win32::Eventlog module, it works
fine
> the system logs but when I try to read the security logs and call
> $hash->read(args ....) method  the User key of the hashref is not in
text,
> I´ve read some documents and there are "masks" to apply to some keys
(e.g.
> TimeGenerated ) but I could not find the mask, if any for the User key.
Does
> someone have some experience with this ?  (
$Win32::EventLog::GetMessageText
> is already set to 1 ).
>
> Does any know how to do this stuff using MFC or any non-commercial
software
> ?  I just want to read the logs and according with the EventID send a
> message ( may be the hole record ) to a DB server.
>
>
>
>
> Sorry about my English.
> Thanks in advance,
> Gonzalo S. García.
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private





---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

    This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 17:20:01 PST