Security Basics mailing list archives

RE: Event log monitoring

From: "Kurt" <kurtbuff () spro net>
Date: Thu, 14 Oct 2004 11:59:53 -0700

Anything that can be syslogged should be.

However, I'll note a couple of other particulars:

1) http://intersectalliance.com has an IIS log - to - syslog app, which
I also run.

2) set all of your infrastructure that is capable of it to syslog -
switches, routers, etc.



-----Original Message-----
From: dsimcik () bentley edu [mailto:dsimcik () bentley edu]
Sent: Thursday, October 14, 2004 09:14
To: kurtbuff () spro net
Cc: security-basics () securityfocus com
Subject: RE: Event log monitoring



Thanks for answering this question so succinctly.

From a security perspective, aside from the NT Event Logs, IDS Agent

monitoring, and application-specific logs, is there anything else at the
OS/system level that should be logged? What would complete the picture,
so to speak? The NT Event Logs leave a fair amount to be desired, IMHO.

THANKS!
DTS

David Simcik
-----------------------------------
Senior Web Developer - Web Services
Email: dsimcik () bentley edu




"Kurt" <kurtbuff () spro net>
10/13/2004 06:41 PM
Please respond to kurtbuff

        To:        "'Stephane Auger'" <stephaneauger () pre2post com>,
<security-basics () securityfocus com>
        cc:        (bcc: David Simcik/Staff/Bentley)
        Subject:        RE: Event log monitoring



http://ntsyslog.sourceforge.net or http://intersectalliance.com/snare -
will send your eventlogs to a syslog server in realtime

http://kiwisyslog.com - a very good syslog server for Windows, and if
you pay for it (it's very inexpensive for the impressive quality), it'll
even log to an ODBC DSN

http://mysql.com - A free SQL database server, with an ODBC interface,
both Windows and *nix.

Pretty much all you need.

| -----Original Message-----
| From: Stephane Auger [mailto:stephaneauger () pre2post com]
| Sent: Tuesday, October 12, 2004 13:26
| To: security-basics () securityfocus com
| Subject: Event log monitoring
|
|
| Hey everyone,
|
|   I'm looking for a practical way to monitor event logs on multiple
| servers.  There are multiple subnets at multiple sites, and I have one
| main LAN to monitor everything.  Is there some kind of software/batch
| file that could be installed on the servers so that the events be sent
| on my monitoring lan (a little bit like SNMP sending to a listening
| server)?  Thanks!!
|
| Stephane Auger, MCP

Current thread:

Event log monitoring Stephane Auger (Oct 13)
- Re: Event log monitoring Josh Mills (Oct 13)
- RE: Event log monitoring David Nardoni (Oct 14)
- RE: Event log monitoring Kurt (Oct 14)
  - RE: Event log monitoring s b (Oct 18)
- <Possible follow-ups>
- RE: Event log monitoring Osvaldo Casagrande (Oct 14)
- RE: Event log monitoring Kurt (Oct 15)
- RE: Event log monitoring Ryan Murphy (Oct 15)
  - RE: Event log monitoring Kurt (Oct 18)
- RE: Event log monitoring Julen C (Oct 18)
- RE: Event log monitoring Tran, Nhon (Oct 19)
- Re: Event log monitoring nanoLox (Oct 19)
- RE: Event log monitoring Bhavani Suresh (Oct 20)