Hi, I built a page which lists all the HIDS that I know of. http://www.securitywizardry.com/HIDS.htm Some things to consider are: Is the numbercrunching carried out on the remote host as I suspect you'd be better off having it done at the central console, having installed loads of these the first thing the sys admin asks is what is the cpu overhead on the domain controller. Does the HIDS report everything and allow you to tune it or is it a case of only telling you what you want to hear. My preference is for the former, whilst the initial tuning can be tedious you end up with a more informative product. How easy is it to tune the false positives. Use the product in your environment as the quality varies considerably, some are terrible ! Is it purely an event log manager or will it look for trends over time and different logs ? There are a number of hybrid and IPS solutions that will do what you are looking for and then more if you can afford it, spare the time and money to invest in one of these solutions. hope this helps take care -andy Talisker Security Tools Directory http://www.securitywizardry.com ----- Original Message ----- From: "Brian Anon" <brian_anon@private> To: <loganalysis@private> Sent: Thursday, October 02, 2003 2:01 PM Subject: [logs] Monitoring Windows Security Events > I would appreciate hearing how others monitor events in their Windows > security event logs in a large distributed network. > > Specifically, I've got six Windows domains (totaling about 1500 servers and > 6-8 domain controllers in each domain). I need to begin monitoring security > events on these domain controllers. > > Considering that each domain controller generates about 100+ MB a day in he > security event log, it's not really practical having someone manually review > this on a weekly basis. > > Any suggestions about what events to be looking for and acting on? > > I'm now thinking that an automated host-based IDS may be the best option to > monitor events in realtime. Any recommendations? > > Should we only be considering centralizing these events first so that they > can be correlated? Any suggestions? > > Brian > > _________________________________________________________________ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 16:04:02 PDT