RE: [logs] RE: NT Event Log and Web Server Attacks

From: Eric Fitzgerald (ericfat_private)
Date: Mon Jan 20 2003 - 10:40:06 PST

  • Next message: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    Thanks Paul!
    This is a really interesting idea- the ability to pivot audit data
    around other criteria besides time.
    I think that the main problem is that Event Viewer was never designed
    for correlation or advanced querying, which need to be built-in
    functions when dealing with large data sets that change rapidly.
    Hopefully we'll resolve that in our next release of Windows; we are
    aware of that problem.
    For a single machine, using an object-based view for analysis is already
    possible with only a little work: use the EventQuery.vbs tool on Windows
    XP or Windows Server 2003 to dump the events to a csv file, then import
    into Excel. Excel has a feature called "autofilter" which greatly
    simplifies querying the log, as well as PivotTable and PivotChart
    functionality. I will occasionally chart audit data to see trending- for
    instance a few weeks ago I used this method to analyze logon traffic to
    our domain controllers in one of our development domains.
    We have something up our sleeve but I don't want to over-promise &
    under-deliver.  Look for a significant audit collection and analysis
    tool from us this summer, and a completely replaced event log service
    with some really neat analysis capabilities in the next version of
    -----Original Message-----
    From: Paul D. Robertson [mailto:probertsat_private] 
    Sent: Friday, January 17, 2003 6:55 PM
    To: Eric Fitzgerald
    Cc: H C; Rainer Gerhards; loganalysisat_private; Tina Bird; Marcus
    J. Ranum; Ben Laurie
    Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    On Fri, 17 Jan 2003, Eric Fitzgerald wrote:
    > I would be very interested in hearing any suggestions on how to 
    > improve the ability to analyze the Windows security log. I've 
    > explained why some of the events seem to be "missing" information even
    > though the information is really in the log, and Microsoft's strategy 
    > moving forward, but if you have other suggestions then I would be very
    > open to hearing them.
    Hi Eric,
    I received this response from another person at our company- 
    In response to request for suggestions regarding auditing;
    Windows auditing should be tree oriented around objects known to
    Administrators, rather than time oriented as it is now (or the views
    should be switchable). Typically you reach a point in auditing where you
    want to track a user, machine, process, or other tangible object.
    Tracking by event ID, or time, is not appropriate at that point. Same is
    true in System logs (and other event logs). The biggest struggle with MS
    event logs has been digesting the information and knowing what you are
    trying to track. Tracking by known objects should make the process more
    So, for example, what did userX do since their next to last log off?
    What has been done on this machine? What has IIS been doing since it was
    last restarted? That sort of scenario. ===
    I'll add my two cents, which is that the time-oriented view is _crucial_
    to forensics, so "rather than" isn't realistic, but "as well as" would 
    work quite nicely.  Personally, I don't overly mind doing correlation 
    (heck, that's half the value of doing the forensics well) as long as 
    there's a good key to go off of.  But I think the above point is valid, 
    and should have at least some level of thought- even if it's weird, like
    something along the lines of per-object logging options for some events 
    (like "I want to audit users, give me per-user logs" or "I want to audit
    tbird, shove that stuff over there, as well as here in the event log 
    in traditional format....") 
    I think "You can switch on this slower, but object/target/subject stuff
    if you want" kind of thing might be a good idea given the level of
    we've seen of late running single-purpose systems like Web servers.  
    Anyway, I wanted to throw it out there as a thought and see if you had 
    some comments on views of log events in formats that those of us doing a
    lot of log processing don't tend to think of- the sorts of questions 
    normal admis have that relate to logged events (I spend way too much
    reading log tea leaves to diagnose attacks and malice to think much
    normal daily adminish stuff.)
    Paul D. Robertson      "My statements in this message are personal
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 10:47:14 PST