Re: [logs] Monitoring Windows Security Events

From: Harlan Carvey (keydet89@private)
Date: Mon Oct 06 2003 - 12:44:22 PDT

  • Next message: Anton A. Chuvakin: "[logs] checking logs for time holes"

    Andy,
    
    > In my opinion the most sure fire way of protecting
    > your logs is to take them
    > off the host in question at short intervals, then
    > hopefully they won't be
    > there for the attacker to alter/delete. 
    
    Rather than "hoping", one might use a syslog agent
    that sends out the newly created Event Log entries as
    they are created.  Many of the agents do use "short
    intervals", but as you say, if someone gains access
    the first thing they might do is delete the logs.  If
    entries are removed from the system as they are
    created, using the publicly available Microsoft API,
    then it's far less likely that an attacker (even an
    automated script) would have time to delete those
    logs.
    
    HTH,
    
    Harlan
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 15:13:47 PDT