> -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Friday, January 17, 2003 11:27 AM > To: Rainer Gerhards; loganalysisat_private > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie; Eric Fitzgerald > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks > I just think that due to the obscurity of the > EventLog, particularly on NT and 2K platforms, this > can be a bit more trouble than it's worth. I would be very interested in hearing any suggestions on how to improve the ability to analyze the Windows security log. I've explained why some of the events seem to be "missing" information even though the information is really in the log, and Microsoft's strategy moving forward, but if you have other suggestions then I would be very open to hearing them. The upcoming Windows Server 2003 Resource Kit will have a chapter on Windows Security Log analysis which will have more information on event correlation than has previously been published, as well as descriptions of all the events. This documentation will likely be a web download as well as a printed book. Look for it this summer. In the meantime there are a couple of white papers on the Microsoft web site about auditing, which you might find helpful: Older, more NT4-focused: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bestprac/bpent/sec3/monito.asp Windows 2000-focused: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/secur ity/prodtech/windows/windows2000/staysecure/secops06.asp Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation 425-705-9601 _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:00:26 PST