NETWORK ENGINEERING
Event monitoring issues
Barrie Sosinsky
12.29.2003
Rating: -4.17- (out of 5)
|
It's an important task to monitor the various events in the security log that pertain to network access and resource usage. These events show up as individual entries in the log in the Event Viewer, which is an MMC snap-in. The log uses obscure NTLM authentication error codes, but their natural language equivalents are also listed in the detail, so that you will find that code 322125583 which translates to "User login outside authorized hours" is buried in the details of each event. Some of the codes of interest may be found at MSDN; but there are two specific authentication failures that need to be monitored, the NTLM errors (event ID 680 and 681), and the Kerberos authentication errors (event ID 675 and 676). A recent article in Windows & Dot Net Magazine (October 2003, p. 57) delves into the topic in more detail.
Among the many issues surrounding the monitoring process is that not only doesn't the Event Viewer provide easy access to errors by type, but if you are tasked with monitoring the logs of many systems you face a collection and reporting problem. There is a filter function in the Event log, but most analysis starts with dumping out the entries into a database or spreadsheet for further analysis. Thus you can write a script that runs on each server of interest at a regular interval and that dumps out the data into a central file. Once the data is collected into an analysis tool like Excel, Access, or the like, you can create the reports needed to understand just what network security issues are arising.
It's not a bad idea to consider investing in a third party tool that provides a collection and reporting function. Among the several that you might want to consider is Symantec's Intruder Alert, GFI LANguard Security Event Log Monitor, and Adiscon's EventReporter. A free tool you might also try is DumpEvt from SystemTools.com, although this tool only provides collection into an Access template and not the reporting function that you need.
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchNetworking.com.
Register now
to start rating these tips. Log in if you are already a member.
|
Submit a Tip
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
