Hi, In my opinion the most sure fire way of protecting your logs is to take them off the host in question at short intervals, then hopefully they won't be there for the attacker to alter/delete. A quick scripted attack may get to the logs before transmission, depending on whether you send them instantly or save them up to send every few minutes. *nix always has remote syslog server to alleviate the problem One difficulty that I ran into was a HIDS that copied the event logs rather than move them, whilst this made log management a dream, the sys admins would cry foul when they had a fault and they couldn't see the logs. take care -andy Talisker Security Tools Directory http://www.securitywizardry.com ----- Original Message ----- From: <auto349979@private> To: <loganalysis@private> Sent: Thursday, October 02, 2003 9:58 PM Subject: Re: [logs] Monitoring Windows Security Events > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Has anyone looked into preventing the modification (or just notification > of possible unauthorized modifications) of windows event logs? > > On Thu, 02 Oct 2003 06:01:51 -0700 Brian Anon <brian_anon@private> > wrote: > >I would appreciate hearing how others monitor events in their Windows > >> > >security event logs in a large distributed network. > > > >Specifically, I've got six Windows domains (totaling about 1500 > >servers and > >6-8 domain controllers in each domain). I need to begin monitoring > >security > >events on these domain controllers. > > > >Considering that each domain controller generates about 100+ MB > >a day in he > >security event log, it's not really practical having someone manually > >review > >this on a weekly basis. > > > >Any suggestions about what events to be looking for and acting on? > > > >I'm now thinking that an automated host-based IDS may be the best > >option to > >monitor events in realtime. Any recommendations? > > > >Should we only be considering centralizing these events first so > >that they > >can be correlated? Any suggestions? > > > >Brian > > > >_________________________________________________________________ > >Protect your PC - get McAfee.com VirusScan Online > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > >_______________________________________________ > >LogAnalysis mailing list > >LogAnalysis@private > >http://lists.shmoo.com/mailman/listinfo/loganalysis > > > > > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.3 > > wkYEARECAAYFAj98kW0ACgkQT30L5q3LVyjSqgCcCme5CKQtgbYyxCYBc4dAxIwdfoIA > oKrOSJ6tsf/JmgE0BS4/lGSnpCPq > =0k6v > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > https://www.hushmail.com/services.php?subloc=messenger&l=434 > > Promote security and make money with the Hushmail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 12:00:26 PDT