Re: [logs] Monitoring Windows Security Events

From: auto349979@private
Date: Thu Oct 02 2003 - 13:58:21 PDT

  • Next message: Jason Haar: "Re: [logs] Central Log Server"

    Hash: SHA1
    Has anyone looked into preventing the modification (or just notification
    of possible unauthorized modifications) of windows event logs?
    On Thu, 02 Oct 2003 06:01:51 -0700 Brian Anon <brian_anon@private>
    >I would appreciate hearing how others monitor events in their Windows
    >security event logs in a large distributed network.
    >Specifically, I've got six Windows domains (totaling about 1500
    >servers and
    >6-8 domain controllers in each domain).  I need to begin monitoring
    >events on these domain controllers.
    >Considering that each domain controller generates about 100+ MB
    >a day in he
    >security event log, it's not really practical having someone manually
    >this on a weekly basis.
    >Any suggestions about what events to be looking for and acting on?
    >I'm now thinking that an automated host-based IDS may be the best
    >option to
    >monitor events in realtime.  Any recommendations?
    >Should we only be considering centralizing these events first so
    >that they
    >can be correlated?  Any suggestions?
    >Protect your PC - get VirusScan Online
    >LogAnalysis mailing list
    Note: This signature can be verified at
    Version: Hush 2.3
    -----END PGP SIGNATURE-----
    Concerned about your privacy? Follow this link to get
    FREE encrypted email:
    Free, ultra-private instant messaging with Hush Messenger
    Promote security and make money with the Hushmail Affiliate Program:
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 16:05:43 PDT