Re: [logs] Monitoring Windows Security Events

• Previous message: Andy Cuff [talisker]: "Re: [logs] Monitoring Windows Security Events"
• In reply to: Andy Cuff [talisker]: "Re: [logs] Monitoring Windows Security Events"
• Next in thread: Rainer Gerhards: "Re: [logs] Monitoring Windows Security Events"
• Reply: Rainer Gerhards: "Re: [logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andy,

> In my opinion the most sure fire way of protecting
> your logs is to take them
> off the host in question at short intervals, then
> hopefully they won't be
> there for the attacker to alter/delete. 

Rather than "hoping", one might use a syslog agent
that sends out the newly created Event Log entries as
they are created.  Many of the agents do use "short
intervals", but as you say, if someone gains access
the first thing they might do is delete the logs.  If
entries are removed from the system as they are
created, using the publicly available Microsoft API,
then it's far less likely that an attacker (even an
automated script) would have time to delete those
logs.

HTH,

Harlan
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Anton A. Chuvakin: "[logs] checking logs for time holes"
• Previous message: Andy Cuff [talisker]: "Re: [logs] Monitoring Windows Security Events"
• In reply to: Andy Cuff [talisker]: "Re: [logs] Monitoring Windows Security Events"
• Next in thread: Rainer Gerhards: "Re: [logs] Monitoring Windows Security Events"
• Reply: Rainer Gerhards: "Re: [logs] Monitoring Windows Security Events"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 15:13:47 PDT