> Their not being text files probably has something > to do with the > wide availability of hacker tools called "text > editors" that can be > used to arbitrarily change the contents of such > files to cover an intruder's tracks. That brings up several other issues, the most important of which is the fact in the zeal to produce something that is more resistant to tampering, MS has produced a non-scalable auditing system that is resistant to use by the Administrators themselves. Further, look at the contents of EventLog. Logging is done by NetBIOS, not IP address. Oh, and MS provides easy tools for changing NetBIOS names... > These APIs, by the way, provide a degree of remote > access across a > network that the common file read/write APIs rely > upon volume sharing to achieve. Sure. And the APIs are conveniently wrapped in Perl modules such as Win32::EventLog and Win32::Lanman. > The APIs also make it fairly easy to write > programs which extract > event log records to display, or to a text file for > analysis or archive. Or to an Excel spreadsheet... > That the OS does not actually come with > such a tool is an > oversight that Microsoft will no doubt correct by > acquiring one of > the third-party tools that do this, as soon as one > of them > demonstrates that there's money to be made. Interesting thought...but why hasn't it been done yet? __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 09:02:41 PST