Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Stefan Schwall (stefan.schwallsaxsoft.de)
Date: Thu Jul 05 2001 - 03:35:06 CDT
It may not be a wise idea to send a VBScript file via eMail. Lots of virus
scanners just delete such attachments.
From: Mattias Nyholm [mailto:mattias.nyholmframfab.se]
Sent: Wednesday, July 04, 2001 2:15 PM
Subject: RE: remote logging in NT4
One way is to use a script that captures events through WMI.
The script can run on the server or on a centralized script
host; the only requirement is that the WMI provider is
installed on each server that you want to monitor.
The attached script includes basic functionality to monitor
events on a server. You can use it as a start and then add
functions to filter events, log them to a database or whatever.
We've been using this approach to monitor ~50 servers and
log all events to a SQL database. It works great, but there
are a few drawbacks:
# If the script connects to a remote systems the network
connection obviously must be available. If it goes down,
no logging will occur (except on the server of course).
One way to get around that is to run the script on the
server itself and use some kind of buffering, but that
would require much more work.
# Events must be processed quite fast, so you can't have
too much logic in the script or use a slow database
server. If events aren't processed fast enough the queue
will overflow, and the provider will skip events and jump
to the last event.
Hope this helps!
PS To use the script just change the Server variable.
> -----Original Message-----
> From: th3rm05hushmail.com [mailto:th3rm05hushmail.com]
> Sent: den 26 juni 2001 15:29
> To: focus-mssecurityfocus.com
> Subject: remote logging in NT4
> I am trying to set up remote EVENT logging on some NT4 (SP6a
> if it matters)
> servers. We would like to have a centralized "log server"
> (which would
> also potentially double as our IDS) so that our logs can be
> kept remotely.
> This will make it more difficult to modify them in the event
> of a hacker
> being set loose on our system. I tried modifying the
> | Application | Security> keys to be
> but all this did was prevent the event logger from loading.
> I'm thinking 1 of 2 things: either a workaround this in the
> registry, or
> perhaps having the SYSTEM (as opposed to the user at login)
> map the network
> drive as L:\ or something similar, and changing the
> aforementioned key to
> L:\LOGHOSTDIR. Problem is, I have no idea how to do either one.
> Does anyone have any experience (or even any off-the-cuff
> ideas) with this
> sort of thing? Any comments/suggestions would be more than welcome!
> Free, encrypted, secure Web-based email at www.hushmail.com