OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mattias Nyholm (mattias.nyholmframfab.se)
Date: Wed Jul 04 2001 - 07:15:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    One way is to use a script that captures events through WMI.
    The script can run on the server or on a centralized script
    host; the only requirement is that the WMI provider is
    installed on each server that you want to monitor.

    The attached script includes basic functionality to monitor
    events on a server. You can use it as a start and then add
    functions to filter events, log them to a database or whatever.

    We've been using this approach to monitor ~50 servers and
    log all events to a SQL database. It works great, but there
    are a few drawbacks:

    # If the script connects to a remote systems the network
      connection obviously must be available. If it goes down,
      no logging will occur (except on the server of course).
      One way to get around that is to run the script on the
      server itself and use some kind of buffering, but that
      would require much more work.
    # Events must be processed quite fast, so you can't have
      too much logic in the script or use a slow database
      server. If events aren't processed fast enough the queue
      will overflow, and the provider will skip events and jump
      to the last event.

    Hope this helps!

    Regards,

    Mattias

    PS To use the script just change the Server variable.

    > -----Original Message-----
    > From: th3rm05hushmail.com [mailto:th3rm05hushmail.com]
    > Sent: den 26 juni 2001 15:29
    > To: focus-mssecurityfocus.com
    > Subject: remote logging in NT4
    >
    >
    > I am trying to set up remote EVENT logging on some NT4 (SP6a
    > if it matters)
    > servers. We would like to have a centralized "log server"
    > (which would
    > also potentially double as our IDS) so that our logs can be
    > kept remotely.
    > This will make it more difficult to modify them in the event
    > of a hacker
    > being set loose on our system. I tried modifying the
    > HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<System
    > | Application | Security> keys to be
    > \\LOGHOSTNAME\LOGHOSTDRIVE$\LOGHOSTDIR,
    > but all this did was prevent the event logger from loading.
    >
    > I'm thinking 1 of 2 things: either a workaround this in the
    > registry, or
    > perhaps having the SYSTEM (as opposed to the user at login)
    > map the network
    > drive as L:\ or something similar, and changing the
    > aforementioned key to
    > L:\LOGHOSTDIR. Problem is, I have no idea how to do either one.
    >
    > Does anyone have any experience (or even any off-the-cuff
    > ideas) with this
    > sort of thing? Any comments/suggestions would be more than welcome!
    >
    > th3rm05
    > Free, encrypted, secure Web-based email at www.hushmail.com
    >