Re: [logs] Monitoring Windows Security Events

From: Andy Cuff [Talisker] (talisker@private)
Date: Thu Oct 02 2003 - 13:09:04 PDT

  • Next message: auto349979@private: "Re: [logs] Monitoring Windows Security Events"

    I built a page which lists all the HIDS that I know of. Some things to consider are:
    Is the numbercrunching carried out on the remote host as I suspect you'd be
    better off having it done at the central console, having installed loads of
    these the first thing the sys admin asks is what is the cpu overhead on the
    domain controller.
    Does the HIDS report everything and allow you to tune it or is it a case of
    only telling you what you want  to hear.  My preference is for the former,
    whilst the initial tuning can be tedious you end up with a more informative
    How easy is it to tune the false positives.
    Use the product in your environment as the quality varies considerably, some
    are terrible !
    Is it purely an event log manager or will it look for trends over time and
    different logs ?
    There are a number of hybrid and IPS solutions that will do what you are
    looking for and then more if you can afford it, spare the time and money to
    invest in one of these solutions.
    hope this helps
    take care
    Talisker Security Tools Directory
    ----- Original Message ----- 
    From: "Brian Anon" <brian_anon@private>
    To: <loganalysis@private>
    Sent: Thursday, October 02, 2003 2:01 PM
    Subject: [logs] Monitoring Windows Security Events
    > I would appreciate hearing how others monitor events in their Windows
    > security event logs in a large distributed network.
    > Specifically, I've got six Windows domains (totaling about 1500 servers
    > 6-8 domain controllers in each domain).  I need to begin monitoring
    > events on these domain controllers.
    > Considering that each domain controller generates about 100+ MB a day in
    > security event log, it's not really practical having someone manually
    > this on a weekly basis.
    > Any suggestions about what events to be looking for and acting on?
    > I'm now thinking that an automated host-based IDS may be the best option
    > monitor events in realtime.  Any recommendations?
    > Should we only be considering centralizing these events first so that they
    > can be correlated?  Any suggestions?
    > Brian
    > _________________________________________________________________
    > Protect your PC - get VirusScan Online
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysis@private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 16:04:02 PDT