On Thu, 2003-10-02 at 15:01, Brian Anon wrote: > I would appreciate hearing how others monitor events in their Windows > security event logs in a large distributed network. > > Specifically, I've got six Windows domains (totaling about 1500 servers and > 6-8 domain controllers in each domain). I need to begin monitoring security > events on these domain controllers. > > Considering that each domain controller generates about 100+ MB a day in he > security event log, it's not really practical having someone manually review > this on a weekly basis. > > Any suggestions about what events to be looking for and acting on? Probably not up-to-the-point - but eventually helpful... On http://www.monitorware.com/Common/en/SecurityReference/ there are a number of papers/descriptions of what can be done. The work in progress section could also be interesting. The first two articles here http://www.monitorware.com/en/Articles/ may also help you in building some idea... > > I'm now thinking that an automated host-based IDS may be the best option to > monitor events in realtime. Any recommendations? > > Should we only be considering centralizing these events first so that they > can be correlated? Any suggestions? I am strongly of the opinion that this should be done. With consolidation, you can generate reports that help you detect issues. Here are some sample reports we do: http://www.mwconsole.com/en/Product/reports.asp I would especially look into the first one. Again, this reports may not be an instant hit - but I thought it is better to provide some brain-food than not ;) Rainer _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 15:59:48 PDT