I would appreciate hearing how others monitor events in their Windows security event logs in a large distributed network. Specifically, I've got six Windows domains (totaling about 1500 servers and 6-8 domain controllers in each domain). I need to begin monitoring security events on these domain controllers. Considering that each domain controller generates about 100+ MB a day in he security event log, it's not really practical having someone manually review this on a weekly basis. Any suggestions about what events to be looking for and acting on? I'm now thinking that an automated host-based IDS may be the best option to monitor events in realtime. Any recommendations? Should we only be considering centralizing these events first so that they can be correlated? Any suggestions? Brian _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 06:45:54 PDT