It's an important task to monitor the various events in the security log that pertain to network access and resource...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
usage. These events show up as individual entries in the log in the Event Viewer, which is an MMC snap-in. The log uses obscure NTLM authentication error codes, but their natural language equivalents are also listed in the detail, so that you will find that code 322125583 which translates to "User login outside authorized hours" is buried in the details of each event. Some of the codes of interest may be found at MSDN; but there are two specific authentication failures that need to be monitored, the NTLM errors (event ID 680 and 681), and the Kerberos authentication errors (event ID 675 and 676). A recent article in Windows & Dot Net Magazine (October 2003, p. 57) delves into the topic in more detail.
Among the many issues surrounding the monitoring process is that not only doesn't the Event Viewer provide easy access to errors by type, but if you are tasked with monitoring the logs of many systems you face a collection and reporting problem. There is a filter function in the Event log, but most analysis starts with dumping out the entries into a database or spreadsheet for further analysis. Thus you can write a script that runs on each server of interest at a regular interval and that dumps out the data into a central file. Once the data is collected into an analysis tool like Excel, Access, or the like, you can create the reports needed to understand just what network security issues are arising.
It's not a bad idea to consider investing in a third party tool that provides a collection and reporting function. Among the several that you might want to consider is Symantec's Intruder Alert, GFI LANguard Security Event Log Monitor, and Adiscon's EventReporter. A free tool you might also try is DumpEvt from SystemTools.com, although this tool only provides collection into an Access template and not the reporting function that you need.
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.