RE: [logs] RE: NT Event Log and Web Server Attacks

From: Paul D. Robertson (probertsat_private)
Date: Fri Jan 17 2003 - 18:54:49 PST

  • Next message: Noah White: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    On Fri, 17 Jan 2003, Eric Fitzgerald wrote:
    > I would be very interested in hearing any suggestions on how to improve
    > the ability to analyze the Windows security log. I've explained why some
    > of the events seem to be "missing" information even though the
    > information is really in the log, and Microsoft's strategy moving
    > forward, but if you have other suggestions then I would be very open to
    > hearing them.
    Hi Eric,
    I received this response from another person at our company- 
    In response to request for suggestions regarding auditing;
    Windows auditing should be tree oriented around objects known to
    Administrators, rather than time oriented as it is now (or the views
    should be switchable). Typically you reach a point in auditing where you
    want to track a user, machine, process, or other tangible object.
    Tracking by event ID, or time, is not appropriate at that point. Same is
    true in System logs (and other event logs). The biggest struggle with MS
    event logs has been digesting the information and knowing what you are
    trying to track. Tracking by known objects should make the process more
    So, for example, what did userX do since their next to last log off?
    What has been done on this machine? What has IIS been doing since it was
    last restarted? That sort of scenario.
    I'll add my two cents, which is that the time-oriented view is _crucial_ 
    to forensics, so "rather than" isn't realistic, but "as well as" would 
    work quite nicely.  Personally, I don't overly mind doing correlation 
    (heck, that's half the value of doing the forensics well) as long as 
    there's a good key to go off of.  But I think the above point is valid, 
    and should have at least some level of thought- even if it's weird, like 
    something along the lines of per-object logging options for some events 
    (like "I want to audit users, give me per-user logs" or "I want to audit 
    tbird, shove that stuff over there, as well as here in the event log 
    in traditional format....") 
    I think "You can switch on this slower, but object/target/subject stuff on 
    if you want" kind of thing might be a good idea given the level of admins 
    we've seen of late running single-purpose systems like Web servers.  
    Anyway, I wanted to throw it out there as a thought and see if you had 
    some comments on views of log events in formats that those of us doing a 
    lot of log processing don't tend to think of- the sorts of questions 
    normal admis have that relate to logged events (I spend way too much time 
    reading log tea leaves to diagnose attacks and malice to think much about 
    normal daily adminish stuff.)
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:14:23 PST