RE: [logs] RE: NT Event Log and Web Server Attacks

• Previous message: Nate Campi: "Re: [logs] swatchrc file"
• In reply to: Noah White: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Noah,

Care to share this document you found?  It might be
helpful to everyone.

Thanks,

Carv

--- Noah White <nwhiteat_private> wrote:
> 
> One suggestion which comes to mind would be to make
> available a full
> accounting of all Windows/Microsoft produced event
> IDs, their sources, what
> they mean etc.
> 
> I have found a nice document on the security log and
> security event ids,
> however it has been impossible to find this
> information for other event logs
> (Directory services, File replication, DNS etc).  In
> particular in the case
> of active directory one is publicly unavailable. 
> 
> ---
> Noah White
> mailto://<nwhiteat_private>
> SilverBack Technologies Inc.	
> http://www.silverbacktech.com
> 
> 
> > -----Original Message-----
> > From: Eric Fitzgerald
> [mailto:ericfat_private]
> > Sent: Friday, January 17, 2003 3:00 PM
> > To: H C; Rainer Gerhards;
> loganalysisat_private
> > Cc: Tina Bird; Marcus J. Ranum;
> probertsat_private; Ben Laurie
> > Subject: RE: [logs] RE: NT Event Log and Web
> Server Attacks
> > 
> > > -----Original Message-----
> > > From: H C [mailto:keydet89at_private]
> > > Sent: Friday, January 17, 2003 11:27 AM
> > > To: Rainer Gerhards; loganalysisat_private
> > > Cc: Tina Bird; Marcus J. Ranum;
> probertsat_private; Ben Laurie; Eric
> > Fitzgerald
> > > Subject: RE: [logs] RE: NT Event Log and Web
> Server Attacks
> > 
> > > I just think that due to the obscurity of the
> > > EventLog, particularly on NT and 2K platforms,
> this
> > > can be a bit more trouble than it's worth.
> > 
> > I would be very interested in hearing any
> suggestions on how to improve
> > the ability to analyze the Windows security log.
> I've explained why some
> > of the events seem to be "missing" information
> even though the
> > information is really in the log, and Microsoft's
> strategy moving
> > forward, but if you have other suggestions then I
> would be very open to
> > hearing them.
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Jason Haar: "[logs] How are people bringing DMZ syslog msgs into the central server?"
• Previous message: Nate Campi: "Re: [logs] swatchrc file"
• In reply to: Noah White: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 09:40:59 PST