RE: [logs] RE: NT Event Log and Web Server Attacks

From: H C (keydet89at_private)
Date: Sun Jan 19 2003 - 11:18:03 PST

  • Next message: Jason Haar: "[logs] How are people bringing DMZ syslog msgs into the central server?"

    Noah,
    
    Care to share this document you found?  It might be
    helpful to everyone.
    
    Thanks,
    
    Carv
    
    --- Noah White <nwhiteat_private> wrote:
    > 
    > One suggestion which comes to mind would be to make
    > available a full
    > accounting of all Windows/Microsoft produced event
    > IDs, their sources, what
    > they mean etc.
    > 
    > I have found a nice document on the security log and
    > security event ids,
    > however it has been impossible to find this
    > information for other event logs
    > (Directory services, File replication, DNS etc).  In
    > particular in the case
    > of active directory one is publicly unavailable. 
    > 
    > ---
    > Noah White
    > mailto://<nwhiteat_private>
    > SilverBack Technologies Inc.	
    > http://www.silverbacktech.com
    > 
    > 
    > > -----Original Message-----
    > > From: Eric Fitzgerald
    > [mailto:ericfat_private]
    > > Sent: Friday, January 17, 2003 3:00 PM
    > > To: H C; Rainer Gerhards;
    > loganalysisat_private
    > > Cc: Tina Bird; Marcus J. Ranum;
    > probertsat_private; Ben Laurie
    > > Subject: RE: [logs] RE: NT Event Log and Web
    > Server Attacks
    > > 
    > > > -----Original Message-----
    > > > From: H C [mailto:keydet89at_private]
    > > > Sent: Friday, January 17, 2003 11:27 AM
    > > > To: Rainer Gerhards; loganalysisat_private
    > > > Cc: Tina Bird; Marcus J. Ranum;
    > probertsat_private; Ben Laurie; Eric
    > > Fitzgerald
    > > > Subject: RE: [logs] RE: NT Event Log and Web
    > Server Attacks
    > > 
    > > > I just think that due to the obscurity of the
    > > > EventLog, particularly on NT and 2K platforms,
    > this
    > > > can be a bit more trouble than it's worth.
    > > 
    > > I would be very interested in hearing any
    > suggestions on how to improve
    > > the ability to analyze the Windows security log.
    > I've explained why some
    > > of the events seem to be "missing" information
    > even though the
    > > information is really in the log, and Microsoft's
    > strategy moving
    > > forward, but if you have other suggestions then I
    > would be very open to
    > > hearing them.
    > 
    
    
    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 09:40:59 PST