OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Windows Event Logs

From: Floyd Russell (floydneospire.net)
Date: Fri Jun 20 2003 - 11:25:21 CDT

Just to expound upon this I was wondering if anyone knew of any tools that
would be able to translate what is recorded in the Security Audits to real
life events. For example, the following entry:

Object Open:
         Object Server: Security Account Manager
         Object Type: SAM_DOMAIN
         Object Name: *********
         New Handle ID: 663040
         Operation ID: {0,9435828}
         Process ID: 284
         Primary User Name: ********$
         Primary Domain: **********
         Primary Logon ID: (0x0,0x3E7)
         Client User Name: *********$
         Client Domain: ***********
         Client Logon ID: (0x0,0x3E7)
         Accesses GetLocalGroupMembership
                        LookupIDs

         Privileges -

I mean honestly, wtf does that mean? So I guess my broader question is what
tools have people found usefull in extracting meaning from Windows Security
event logs?

|> -----Original Message-----
|> From: Levinson, Karl [mailto:LevinsonKSTARS-SMI.com]
|> Sent: Friday, June 20, 2003 10:52 AM
|> To: 'Floyd Russell'; focus-mssecurityfocus.com
|> Subject: RE: Windows Event Logs
|>
|>
|> Not exactly. Native IP logging in Windows was not introduced
|> until Windows
|> 2003 Server and to some extent XP [via the included ICF
|> firewall]. As far
|> as I know, you would need to either upgrade your version of
|> Windows or add
|> some third party hardware or software tool that logs IP address.
|> A hardware
|> or software firewall or IDS such as www.sygate.com or
|> www.snort.org could be
|> one way to do this [you could even configure the firewall to just log and
|> not block any traffic, if you prefer].
|>
|> You would still have to manually correlate the IP logs with the Windows
|> security logs. This would require that the time always be
|> synched in both
|> logs, and if there is a lot of similar network traffic being reported
|> simultaneously, you could have problems logging everything you need or
|> correctly correlating log entries.
|>
|> One thing that might make log correlation easier could be to
|> combine the IP
|> logs and the Windows security logs into one log file. One way to do this
|> would be to send all your events to a syslog client like
|> www.kiwisyslog.com
|> or others. To send windows event logs to syslog, there is a
|> program called
|> NTSYSLOG, search www.google.com to find it. I believe it's free.
|> www.kiwisyslog.com is another inexpensive possibility for doing this.
|> Another solution is at http://www.winsyslog.com/en/ You'd want the
|> Professional version which is not free.
|>
|> If you log to a remote system, this has the advantage of being able to
|> remotely view multiple systems and make it harder for an
|> attacker to delete
|> log files from a compromised host. However, someone could
|> potentially get
|> sensitive data from your log files by sniffing the wire [you
|> might choose to
|> set up an encrypted tunnel of some sort to try to reduce this risk]. I
|> suppose this could also generate a lot of extra network traffic
|> depending on
|> how much you're logging. And theoretically someone could try to generate
|> extra log events to do a denial of service or disable your logging.
|>
|>
|>
|> -----Original Message-----
|> From: Floyd Russell [mailto:floydneospire.net]
|> Sent: Thursday, June 19, 2003 2:28 PM
|> To: focus-mssecurityfocus.com
|> Subject: [despammed] Windows Event Logs
|>
|>
|> In my years of admining windows servers the event logs have always been
|> frustratingly incomplete. This is especially true with the Security logs.
|> For example if an attempted logon fails, it records the event,
|> but seeminly
|> nothing else of importance like an IP.
|> Are there any tools out there that either allow admins a finer
|> control over
|> what activities happen on the host or any that can pull such information
|> from the event logs?
|>
|>

-----------------------------------------------------------------------------
------------------------------------------------------------------------------