Network Management Strategies for the CIO
Requires Free Membership to View
MSDN; but there are two specific authentication failures that need to be monitored, the NTLM errors (event ID 680 and 681), and the Kerberos authentication errors (event ID 675 and 676). A recent article in Windows & Dot Net Magazine (October 2003, p. 57) delves into the topic in more detail.
Among the many issues surrounding the monitoring process is that not only doesn't the Event Viewer provide easy access to errors by type, but if you are tasked with monitoring the logs of many systems you face a collection and reporting problem. There is a filter function in the Event log, but most analysis starts with dumping out the entries into a database or spreadsheet for further analysis. Thus you can write a script that runs on each server of interest at a regular interval and that dumps out the data into a central file. Once the data is collected into an analysis tool like Excel, Access, or the like, you can create the reports needed to understand just what network security issues are arising.
It's not a bad idea to consider investing in a third party tool that provides a collection and reporting function. Among the several that you might want to consider is Symantec's Intruder Alert, GFI LANguard Security Event Log Monitor, and Adiscon's EventReporter. A free tool you might also try is DumpEvt from SystemTools.com, although this tool only provides collection into an Access template and not the reporting function that you need.
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was first published in December 2003
Join the conversationComment
Share
Comments
Results
Contribute to the conversation