[logs] Monitoring Windows Security Events

From: Brian Anon (brian_anon@private)
Date: Thu Oct 02 2003 - 06:01:51 PDT

  • Next message: Sheng Ma: "[logs] Generic log adapter from IBM: tool for handling raw messages"

    I would appreciate hearing how others monitor events in their Windows 
    security event logs in a large distributed network.
    Specifically, I've got six Windows domains (totaling about 1500 servers and 
    6-8 domain controllers in each domain).  I need to begin monitoring security 
    events on these domain controllers.
    Considering that each domain controller generates about 100+ MB a day in he 
    security event log, it's not really practical having someone manually review 
    this on a weekly basis.
    Any suggestions about what events to be looking for and acting on?
    I'm now thinking that an automated host-based IDS may be the best option to 
    monitor events in realtime.  Any recommendations?
    Should we only be considering centralizing these events first so that they 
    can be correlated?  Any suggestions?
    Protect your PC - get McAfee.com VirusScan Online  
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 06:45:54 PDT