Re: [logs] Monitoring Windows Security Events

From: Rainer Gerhards (rgerhards@private)
Date: Thu Oct 02 2003 - 08:03:44 PDT

  • Next message: John Campbell: "RE: [logs] Monitoring Windows Security Events"

    On Thu, 2003-10-02 at 15:01, Brian Anon wrote:
    > I would appreciate hearing how others monitor events in their Windows 
    > security event logs in a large distributed network.
    > 
    > Specifically, I've got six Windows domains (totaling about 1500 servers and 
    > 6-8 domain controllers in each domain).  I need to begin monitoring security 
    > events on these domain controllers.
    > 
    > Considering that each domain controller generates about 100+ MB a day in he 
    > security event log, it's not really practical having someone manually review 
    > this on a weekly basis.
    > 
    > Any suggestions about what events to be looking for and acting on?
    
    Probably not up-to-the-point - but eventually helpful... On
    
    http://www.monitorware.com/Common/en/SecurityReference/
    
    there are a number of papers/descriptions of what can be done. The work
    in progress section could also be interesting.
    
    The first two articles here
    
    http://www.monitorware.com/en/Articles/
    
    may also help you in building some idea...
    
    > 
    > I'm now thinking that an automated host-based IDS may be the best option to 
    > monitor events in realtime.  Any recommendations?
    > 
    > Should we only be considering centralizing these events first so that they 
    > can be correlated?  Any suggestions?
    
    I am strongly of the opinion that this should be done. With
    consolidation, you can generate reports that help you detect issues.
    Here are some sample reports we do:
    
    http://www.mwconsole.com/en/Product/reports.asp
    
    I would especially look into the first one. Again, this reports may not
    be an instant hit - but I thought it is better to provide some
    brain-food than not ;)
    
    Rainer
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 15:59:48 PDT