Re: Event log counts...

[Richard_Gardner () rge com]

Ryan

This is a SIM product that you are talking about. Security Information
Manager. Info Security Mag. November Issue just released a really good
article regarding this...
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss506_art1043,00.html


Take a look into CA also -
http://www3.ca.com/Solutions/SubSolution.asp?ID=4350

The main reason why I would point someone to a product like these, is the
deluge of information that you will have to wad through just to get
information that means anything to you. As far as your main question on how
many total log entries? that all depends on how your servers are set up to
log the information. If your Windows environment is setup in AD, you should
be able to just go back to your GPO for the servers and check to see what
is selected for the log activity and frequency. ie...what is being logged,
(failure and success) and how log are the logs kept or are they over
written.

If you don't decide to run with a product that will have templates for you
to chose from, I would head over to Technet and EventID. It will pay for
you to get a subscripting to EventID ....

With the SIM products that are out there....you can also funnel a lot of
your environment into that product...not just Windows log files.

Last note on this - tech republic has some parsing info for you too....
http://techrepublic.com.com/5100-6329-5034923.html

Good luck....
Rich



|---------+---------------------------->
|         |           Ryan Murphy      |
|         |           <RMurphy@irvineco|
|         |           mpany.com>       |
|         |                            |
|         |           12/14/2004 12:54 |
|         |           PM               |
|         |                            |
|---------+---------------------------->
  
> ---------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                     
                        |
  |       To:       security-basics () securityfocus com                                                                
                           |
  |       cc:                                                                                                           
                        |
  |       Subject:  Event log counts...                                                                                 
                        |
  
> ---------------------------------------------------------------------------------------------------------------------------------------------|




List,

I am currently working on implementing a windows syslog solution in which
Win2k servers will dump their application/system/security event logs to a
(likely Kiwi) syslog server in our environment. One of the questions that
needs to get answered in order to implement such a solution is "How many
total event log entries are we generating per minute/hour/day/week/month
across all 200 of our servers?" I'm currently at a loss as to how to answer
this question, and so I'm turning to the list for ideas. At first, I was
thinking about just picking a small representative sample of our servers,
and counting the number of events generated in a set period of time.
However, I've had a very hard time picking a small representative sample of
our overall server farm, and from my (albeit somewhat limited) research
into
this avenue, there doesn't appear to be one. Is there a way that I could
query this kind of information somewhere in Windows? In the AD? NetIQ App
Manager? Do you guys know of any sort of utility that I could load that
would help me determine event counts? Should I write my own? Could I find
this information by querying WMI in a small VB app or something?

You ideas and suggestions are greatly appreciated.

Thanks,

Ryan



=============================
Notice to recipient:  This e-mail is meant for only the intended recipient
of the transmission, and may be a confidential communication or a
communication privileged by law.  If you received this e-mail in error, any
review, use, dissemination, distribution, or copying of this e-mail is
strictly prohibited.  Please notify us immediately of the error by return
e-mail and please delete this message from your system.  Thank you in
advance for your cooperation.