Zen 2.0

Windows Event Collection

October 5th, 2004 | 3 Comments | Posted in General Techologies

Microsoft Windows maintains atleast three event logs:

- Security Log – Tracks events such as logon, logoff, change to access rights, and system startup and shutdown.
- Application Log – Records events logged by applications, such as the failure of MS SQL to access a database.
- System Log – Records events logged by the operating system or its components, such as the failure of a service to start at bootup.

In Windows 2000 or later, there might also be other event logs, including

- Directory Service – Records events logged by Active Directory and its related services.
- DNS Server – Records DNS queries, responses, and other DNS activities.
- File Replication Service – Records file replication activities on the system.

Every Windows event must be identified as one of five event types:

- Information – An informational event that is generally related to a successful action.
- Success Audit – An event related to the successful execution of an action.
- Failure Audit – An event related to the failed execution of an action.
- Warning – A warning. Details for warnings are often useful in preventing future system problems.
- Error – An error, such as the failure of a service to start.

I posted a question to the loganalysis mailing list a while back asking what everyone uses for their collection solution. The summary I gathered is as follows:

1. Snare (or similar agents) sending to syslog…the kewl thing is that Intersect Alliance has provided a couple scripts that will allow you to install Snare onto remote machines in your domain…

2. DumpEvt…this is actually a pretty good way as you can dump logs from local and remote machines and format it the way you want it to…only thing is this is not real-time, so if you are looking for real-time, this is not the solution; however, in my case, I was not looking for real-time.

3. Win32::EventLog…works pretty good, since you can write your own script to do stuff, you can be flexible in what you want to keep or discard…not real-time…but you can easily write something that does what DumpEvt does with the added benefit of dumping the events to syslog…and still be agentless

4. Win32::OLE using WMI…pro’ly the most flexible solution, it can monitor for new log entries…so it can be a real-time solution..plus you have the flexibility of deciding what you want to do with the log once you receive it…send to syslog, discard, etc…however, i have read that this is pretty resource intensive…have not tested this approach to its limit tho…

I will post some sample code for the various collection methods in the future.

3 Responses to “Windows Event Collection”

parag Deshpande Says:
January 6th, 2005 at 3:05 pm
When I consider Security log analysis for win2k server i think rules that should set are
- Any Start up or shut down or server or any new services should have proper authorization.
- Windows server develops logs of logs cleaning is often done to use the disk space, If the logs cleared for this purpose, it should done with proper change control procedure i.e. Authorization , Backup/ Archival , Storage .
- Analysis of warnings and failure audits for security sensitive events ( Analysis not from Performance or trouble shooting perspective)
- Failed logins (Expected to have warning event for this)
Am I missing some thing…please let me know….

Parag
jlz Says:
January 6th, 2005 at 3:51 pm
Parag,

That’s a great list.

I would also be interested in

- successful logins during odd hours
- login/off patterns over time (week, month, etc) to detect abnormal behaviors
- who’s accessed what resource (files, appliacations) for security purposes as well as utilization trending (say this is a shared citrix server or something)

Lots of operational as well as security type of reporting and alerting. I would be very interested in other thoughts.
Jim B. Says:
January 25th, 2005 at 11:18 am
jlz,

You might be interested in log analysis using SEC- The Simple Event Correlator. Part II of the article at
http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
describes using SEC for these situations.

Best Regards,
Jim B.

About Jian Zhen

Disclaimer: This is my personal blog. The opinions expressed in this blog are the views of the writer and do not necessarily reflect the views and opinions of VMware.

Tags
- amazon (1)
- analyst (1)
- architecture (1)
- chargeback (2)
- cloudcamp (1)
- cloudslam (1)
- csa (2)
- data governance (3)
- enterprise (6)
- federation (2)
- google (1)
- iaas (3)
- paas (2)
- pci (1)
- private cloud (3)
- saas (11)
- share (9)
- sla (2)
- startup (1)
- terremark (1)
- twitter (1)
- vmware (1)
Archives

Categories
- Cloud Computing (36)
- General Techologies (143)
- LMI and SIEM (23)
- Security and Compliance (32)
Recent Posts
Cloud Feed
- HEADLINE: Accounting in the Clouds: Is it all Hype? - http://bit.ly/9aeYzx
- HEADLINE: Google cloud-computing applications get certification for federal - http://bit.ly/bwXsJp
- HEADLINE: NaviSite Enterprise Hosting Services | SaaS Enablement Services - http://bit.ly/9FbZ6s
- HEADLINE: Creativity @ Technology: SaaS through REST webservices - http://bit.ly/bwjPyc
- HEADLINE: SharePoint Multitenancy | Apps4Rent - http://bit.ly/cHhuuz
- HEADLINE: Hedge your bets in cloud computing - http://bit.ly/bkmtUz
- HEADLINE: SaaS Market Growth Means SaaS Jobs Growth - http://bit.ly/bLyrxI
- HEADLINE: No Surprise - SaaS Causing Real Effects on the Supply Chain - http://bit.ly/ac5hSz
Meta

Windows Event Collection

3 Responses to “Windows Event Collection”

About Jian Zhen

Tags

Archives

Categories

Recent Posts

Cloud Feed

Meta