It may not be a wise idea to send a VBScript file via eMail. Lots of virus
scanners just delete such attachments.

Stefan Schwall
s.a.x. Software

-----Original Message-----
From: Mattias Nyholm [mailto:mattias.nyholmframfab.se]
Sent: Wednesday, July 04, 2001 2:15 PM
To: focus-mssecurityfocus.com
Cc: 'th3rm05hushmail.com'
Subject: RE: remote logging in NT4

One way is to use a script that captures events through WMI.
The script can run on the server or on a centralized script
host; the only requirement is that the WMI provider is
installed on each server that you want to monitor.

The attached script includes basic functionality to monitor
events on a server. You can use it as a start and then add
functions to filter events, log them to a database or whatever.

We've been using this approach to monitor ~50 servers and
log all events to a SQL database. It works great, but there
are a few drawbacks:

# If the script connects to a remote systems the network
  connection obviously must be available. If it goes down,
  no logging will occur (except on the server of course).
  One way to get around that is to run the script on the
  server itself and use some kind of buffering, but that
  would require much more work.
# Events must be processed quite fast, so you can't have
  too much logic in the script or use a slow database
  server. If events aren't processed fast enough the queue
  will overflow, and the provider will skip events and jump
  to the last event.

Hope this helps!

Regards,

Mattias

PS To use the script just change the Server variable.

> -----Original Message-----
> From: th3rm05hushmail.com [mailto:th3rm05hushmail.com]
> Sent: den 26 juni 2001 15:29
> To: focus-mssecurityfocus.com
> Subject: remote logging in NT4
>
>
> I am trying to set up remote EVENT logging on some NT4 (SP6a
> if it matters)
> servers. We would like to have a centralized "log server"
> (which would
> also potentially double as our IDS) so that our logs can be
> kept remotely.
> This will make it more difficult to modify them in the event
> of a hacker
> being set loose on our system. I tried modifying the
> HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<System
> | Application | Security> keys to be
> \\LOGHOSTNAME\LOGHOSTDRIVE$\LOGHOSTDIR,
> but all this did was prevent the event logger from loading.
>
> I'm thinking 1 of 2 things: either a workaround this in the
> registry, or
> perhaps having the SYSTEM (as opposed to the user at login)
> map the network
> drive as L:\ or something similar, and changing the
> aforementioned key to
> L:\LOGHOSTDIR. Problem is, I have no idea how to do either one.
>
> Does anyone have any experience (or even any off-the-cuff
> ideas) with this
> sort of thing? Any comments/suggestions would be more than welcome!
>
> th3rm05
> Free, encrypted, secure Web-based email at www.hushmail.com
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]