On Mon, 20 Jan 2003, Eric Fitzgerald wrote: > This is a really interesting idea- the ability to pivot audit data > around other criteria besides time. Again, I think it's really useful to look at admin questions as a good criteria, but we still need timestamped paths for forensics. I'd encourage you to keep the raw format in timestamp order, just so it makes presentation easier in legal situations. > I think that the main problem is that Event Viewer was never designed > for correlation or advanced querying, which need to be built-in > functions when dealing with large data sets that change rapidly. > Hopefully we'll resolve that in our next release of Windows; we are > aware of that problem. We've been doing a fair ammount of correlation and log sawing over the last two years. If there are any specific things you'd like input about, I'd be happy to oblige ;) > For a single machine, using an object-based view for analysis is already > possible with only a little work: use the EventQuery.vbs tool on Windows > XP or Windows Server 2003 to dump the events to a csv file, then import > into Excel. Excel has a feature called "autofilter" which greatly > simplifies querying the log, as well as PivotTable and PivotChart > functionality. I will occasionally chart audit data to see trending- for > instance a few weeks ago I used this method to analyze logon traffic to > our domain controllers in one of our development domains. Do you have any specific non-standard things turned on for auditing purposes? I'm really chomping at the bit to get folks to set up more forensics-friendly environments- part of that includes what sort of logging things should be premptively configured (for instance, Apache servers are much better for doing incident analysis when combined logging is on because referrers are important for a lot of attacks against Web servers...) > We have something up our sleeve but I don't want to over-promise & > under-deliver. Look for a significant audit collection and analysis > tool from us this summer, and a completely replaced event log service > with some really neat analysis capabilities in the next version of > Windows. Will the new service make it easy to drop in new transports? Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:08:20 PST