RE: [logs] RE: NT Event Log and Web Server Attacks

From: Paul D. Robertson (probertsat_private)
Date: Mon Jan 20 2003 - 12:26:10 PST

  • Next message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    On Mon, 20 Jan 2003, Eric Fitzgerald wrote:
    > This is a really interesting idea- the ability to pivot audit data
    > around other criteria besides time.
    Again, I think it's really useful to look at admin questions as a good 
    criteria, but we still need timestamped paths for forensics.  I'd 
    encourage you to keep the raw format in timestamp order, just so it makes 
    presentation easier in legal situations.
    > I think that the main problem is that Event Viewer was never designed
    > for correlation or advanced querying, which need to be built-in
    > functions when dealing with large data sets that change rapidly.
    > Hopefully we'll resolve that in our next release of Windows; we are
    > aware of that problem.
    We've been doing a fair ammount of correlation and log sawing over the 
    last two years.  If there are any specific things you'd like input about, 
    I'd be happy to oblige ;)
    > For a single machine, using an object-based view for analysis is already
    > possible with only a little work: use the EventQuery.vbs tool on Windows
    > XP or Windows Server 2003 to dump the events to a csv file, then import
    > into Excel. Excel has a feature called "autofilter" which greatly
    > simplifies querying the log, as well as PivotTable and PivotChart
    > functionality. I will occasionally chart audit data to see trending- for
    > instance a few weeks ago I used this method to analyze logon traffic to
    > our domain controllers in one of our development domains.
    Do you have any specific non-standard things turned on for auditing 
    purposes?  I'm really chomping at the bit to get folks to set up more 
    forensics-friendly environments- part of that includes what sort of 
    logging things should be premptively configured (for instance, Apache 
    servers are much better for doing incident analysis when combined logging 
    is on because referrers are important for a lot of attacks against Web 
    > We have something up our sleeve but I don't want to over-promise &
    > under-deliver.  Look for a significant audit collection and analysis
    > tool from us this summer, and a completely replaced event log service
    > with some really neat analysis capabilities in the next version of
    > Windows.
    Will the new service make it easy to drop in new transports?    
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:08:20 PST