Comments on: Windows Event Collection http://www.zhen.org/blog/2004/10/05/windows-event-collection/ Business, Technology and Other Things Tue, 06 Jan 2009 05:12:18 +0000 http://wordpress.org/?v=2.6.1 By: Jim B. http://www.zhen.org/blog/2004/10/05/windows-event-collection/#comment-122 Jim B. Tue, 25 Jan 2005 18:18:07 +0000 /?p=9#comment-122 jlz, You might be interested in log analysis using SEC- The Simple Event Correlator. Part II of the article at http://sixshooter.v6.thrupoint.net/SEC-examples/article.html describes using SEC for these situations. Best Regards, Jim B. jlz,

You might be interested in log analysis using SEC- The Simple Event Correlator. Part II of the article at
http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
describes using SEC for these situations.

Best Regards,
Jim B.

]]> By: jlz http://www.zhen.org/blog/2004/10/05/windows-event-collection/#comment-77 jlz Thu, 06 Jan 2005 22:51:03 +0000 /?p=9#comment-77 Parag, That's a great list. I would also be interested in - successful logins during odd hours - login/off patterns over time (week, month, etc) to detect abnormal behaviors - who's accessed what resource (files, appliacations) for security purposes as well as utilization trending (say this is a shared citrix server or something) Lots of operational as well as security type of reporting and alerting. I would be very interested in other thoughts. Parag,

That’s a great list.

I would also be interested in

- successful logins during odd hours
- login/off patterns over time (week, month, etc) to detect abnormal behaviors
- who’s accessed what resource (files, appliacations) for security purposes as well as utilization trending (say this is a shared citrix server or something)

Lots of operational as well as security type of reporting and alerting. I would be very interested in other thoughts.

]]> By: parag Deshpande http://www.zhen.org/blog/2004/10/05/windows-event-collection/#comment-76 parag Deshpande Thu, 06 Jan 2005 22:05:27 +0000 /?p=9#comment-76 When I consider Security log analysis for win2k server i think rules that should set are - Any Start up or shut down or server or any new services should have proper authorization. - Windows server develops logs of logs cleaning is often done to use the disk space, If the logs cleared for this purpose, it should done with proper change control procedure i.e. Authorization , Backup/ Archival , Storage . - Analysis of warnings and failure audits for security sensitive events ( Analysis not from Performance or trouble shooting perspective) - Failed logins (Expected to have warning event for this) Am I missing some thing...please let me know.... Parag When I consider Security log analysis for win2k server i think rules that should set are
- Any Start up or shut down or server or any new services should have proper authorization.
- Windows server develops logs of logs cleaning is often done to use the disk space, If the logs cleared for this purpose, it should done with proper change control procedure i.e. Authorization , Backup/ Archival , Storage .
- Analysis of warnings and failure audits for security sensitive events ( Analysis not from Performance or trouble shooting perspective)
- Failed logins (Expected to have warning event for this)
Am I missing some thing…please let me know….

Parag

]]>