While more costly than the other approaches mentioned, you'll get a
significantly enhanced event/system monitoring and response tool with NetIQ
Operations Manager (purchased by MS and being renamed Microsoft Operations
Manager 2000 as of July 1, 2001). We've got this tool in-house and
absolutely love it.

Essentially you have:

Hardware topology:
 - A central server that collects, stores, and responds
        to events on the agents (SQL db backend)
 - Optional "consolidators" throughout the network,
        acting as go-between for agents and central server
        (keeps precious bandwidth utilization down)
 - Agents on all monitored servers. Sends event log updates
        and perfmon data to the central server every five minutes,
        important events (like hardware failure notifications) immediately.

Out of the box, OM will monitor system health and track performance data for
historical and projection data, an excellent knowledge base, a powerful
notification and VBS scripting responses (restart server, lock out attacking
user, turn on emergency lighting and ring the buzzer, etc), and a powerful
framework to build on.

I believe you can take a look at the upcoming ver. from MOM at
www.microsoft.com/mom

Kevan Smith
MCSE, MCP+I, ACT, A+
NT Administrator
Tideworks Technology

-----Original Message-----
From: th3rm05hushmail.com [mailto:th3rm05hushmail.com]
Sent: Tuesday, June 26, 2001 6:29 AM
To:
Subject: remote logging in NT4

I am trying to set up remote EVENT logging on some NT4 (SP6a if it matters)
servers. We would like to have a centralized "log server" (which would
also potentially double as our IDS) so that our logs can be kept remotely.
 This will make it more difficult to modify them in the event of a hacker
being set loose on our system. I tried modifying the
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<System
| Application | Security> keys to be \\LOGHOSTNAME\LOGHOSTDRIVE$\LOGHOSTDIR,
 but all this did was prevent the event logger from loading.

I'm thinking 1 of 2 things: either a workaround this in the registry, or
perhaps having the SYSTEM (as opposed to the user at login) map the network
drive as L:\ or something similar, and changing the aforementioned key to
L:\LOGHOSTDIR. Problem is, I have no idea how to do either one.

Does anyone have any experience (or even any off-the-cuff ideas) with this
sort of thing? Any comments/suggestions would be more than welcome!

th3rm05
Free, encrypted, secure Web-based email at www.hushmail.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]