RE: [logs] RE: NT Event Log and Web Server Attacks

From: Eric Fitzgerald (ericfat_private)
Date: Fri Jan 17 2003 - 12:00:16 PST

  • Next message: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    > -----Original Message-----
    > From: H C [mailto:keydet89at_private] 
    > Sent: Friday, January 17, 2003 11:27 AM
    > To: Rainer Gerhards; loganalysisat_private
    > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie; Eric
    > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    > I just think that due to the obscurity of the
    > EventLog, particularly on NT and 2K platforms, this
    > can be a bit more trouble than it's worth.  
    I would be very interested in hearing any suggestions on how to improve
    the ability to analyze the Windows security log. I've explained why some
    of the events seem to be "missing" information even though the
    information is really in the log, and Microsoft's strategy moving
    forward, but if you have other suggestions then I would be very open to
    hearing them.
    The upcoming Windows Server 2003 Resource Kit will have a chapter on
    Windows Security Log analysis which will have more information on event
    correlation than has previously been published, as well as descriptions
    of all the events.  This documentation will likely be a web download as
    well as a printed book.  Look for it this summer.  In the meantime there
    are a couple of white papers on the Microsoft web site about auditing,
    which you might find helpful:
    Older, more NT4-focused:
    Windows 2000-focused:
    Eric Fitzgerald
    Program Manager, Windows Auditing and Intrusion Detection
    Microsoft Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:00:26 PST