Event monitoring issues

The language of event monitoring errors can often be hard to interpret. This tip describes some methods to help decipher these cryptic codes.

It's an important task to monitor the various events in the security log that pertain to network access and resource usage. These events show up as individual entries in the log in the Event Viewer, which is an MMC snap-in. The log uses obscure NTLM authentication error codes, but their natural language equivalents are also listed in the detail, so that you will find that code 322125583 which translates to "User login outside authorized...

hours" is buried in the details of each event. Some of the codes of interest may be found at MSDN; but there are two specific authentication failures that need to be monitored, the NTLM errors (event ID 680 and 681), and the Kerberos authentication errors (event ID 675 and 676). A recent article in Windows & Dot Net Magazine (October 2003, p. 57) delves into the topic in more detail.

Among the many issues surrounding the monitoring process is that not only doesn't the Event Viewer provide easy access to errors by type, but if you are tasked with monitoring the logs of many systems you face a collection and reporting problem. There is a filter function in the Event log, but most analysis starts with dumping out the entries into a database or spreadsheet for further analysis. Thus you can write a script that runs on each server of interest at a regular interval and that dumps out the data into a central file. Once the data is collected into an analysis tool like Excel, Access, or the like, you can create the reports needed to understand just what network security issues are arising.

It's not a bad idea to consider investing in a third party tool that provides a collection and reporting function. Among the several that you might want to consider is Symantec's Intruder Alert, GFI LANguard Security Event Log Monitor, and Adiscon's EventReporter. A free tool you might also try is DumpEvt from SystemTools.com, although this tool only provides collection into an Access template and not the reporting function that you need.

 


Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
 

This was first published in December 2003
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close