Security Basics mailing list archives
Re: Monitoring of Admin logins
From: Steven Hollingsworth <steven () aznc com>
Date: Wed, 11 Apr 2007 11:27:57 -0700
On Wed, Apr 11, 2007 at 11:48:20AM -0500, Steven Adair wrote:
A syslog server as mentioned will do the trick. You can run scripts to parse through the logs looking for "administrator" logins or the logins you have given to each of the users. Also, you may want to avoid giving these other users access to this server or at least just give them read only access. There are also other event correlation/SIM products that have capabilities you mentioned. Someone just e-mailed this list a little bit ago asking about ArcSight. I believe this product is capable of doing this as is NetIQ. Now these aren't free by any means, in fact they are far from it. Steven securityzone.org
Another option is using Simple Event Correlator [0] , it on the otherhand is free, and used with a central log server is very powerful. It takes some time to hack out some custom rules, but you'll see in the documentation section they have quite a few links to get you started. [0] - http://www.estpak.ee/~risto/sec/ ~ stevo
Current thread:
- Re: Audit Windows files/folders, (continued)
- Re: Audit Windows files/folders Rob Creely (Apr 10)
- Re: Audit Windows files/folders TStark (Apr 10)
- RE: Audit Windows files/folders J.M. Seitz (Apr 10)
- Message not available
- Fwd: Audit Windows files/folders kevin fielder (Apr 11)
- Monitoring of Admin logins Sohail Sarwar (Apr 10)
- RE: Monitoring of Admin logins Petter Bruland (Apr 10)
- RE: Monitoring of Admin logins Dixon, Wayne (Apr 10)
- Re: Monitoring of Admin logins Buz Dale (Apr 10)
- Re: Monitoring of Admin logins Steven Adair (Apr 11)
- Re: Monitoring of Admin logins Steven Hollingsworth (Apr 11)