RE: [logs] RE: NT Event Log and Web Server Attacks

• Previous message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Noah,

That's a little beyond the scope of what I can do- I only own the
security log.  We have several hundred component owners in Windows and
they each own the event logging for their own component.  That is why
you see such variation in the Application and System logs.  The
Security, Active Directory, FRS, and DNS teams each own their own log
and have a responsible individual on each of those teams, so those are
more consistent.  I will pass on your request to the Resource Kit team
(they do this sort of documentation) and to the management team here in
Windows.

Eric

-----Original Message-----
From: Noah White [mailto:nwhiteat_private] 
Sent: Sunday, January 19, 2003 8:58 AM
To: Eric Fitzgerald; H C; Rainer Gerhards; loganalysisat_private
Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
Subject: RE: [logs] RE: NT Event Log and Web Server Attacks



One suggestion which comes to mind would be to make available a full
accounting of all Windows/Microsoft produced event IDs, their sources,
what they mean etc.

I have found a nice document on the security log and security event ids,
however it has been impossible to find this information for other event
logs (Directory services, File replication, DNS etc).  In particular in
the case of active directory one is publicly unavailable. 

---
Noah White
mailto://<nwhiteat_private>
SilverBack Technologies Inc.		http://www.silverbacktech.com


> -----Original Message-----
> From: Eric Fitzgerald [mailto:ericfat_private]
> Sent: Friday, January 17, 2003 3:00 PM
> To: H C; Rainer Gerhards; loganalysisat_private
> Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
> Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
> 
> > -----Original Message-----
> > From: H C [mailto:keydet89at_private]
> > Sent: Friday, January 17, 2003 11:27 AM
> > To: Rainer Gerhards; loganalysisat_private
> > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie; 
> > Eric
> Fitzgerald
> > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
> 
> > I just think that due to the obscurity of the
> > EventLog, particularly on NT and 2K platforms, this
> > can be a bit more trouble than it's worth.
> 
> I would be very interested in hearing any suggestions on how to 
> improve the ability to analyze the Windows security log. I've 
> explained why some of the events seem to be "missing" information even

> though the information is really in the log, and Microsoft's strategy 
> moving forward, but if you have other suggestions then I would be very

> open to hearing them.

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Previous message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:17:37 PST