It's an important task to monitor the various events in the security log that pertain to network access and resource usage. These events show up as individual entries in the log in the Event Viewer, which is an MMC snap-in. The log uses obscure NTLM authentication error codes, but their natural language equivalents are also listed in the detail, so that you will find that code 322125583 which translates to "User login outside authorized hours" is buried in the details of each event. Some of the codes of interest may be found at
Among the many issues surrounding the monitoring process is that not only doesn't the Event Viewer provide easy access to errors by type, but if you are tasked with monitoring the logs of many systems you face a collection and reporting problem. There is a filter function in the Event log, but most analysis starts with dumping out the entries into a database or spreadsheet for further analysis. Thus you can write a script that runs on each server of interest at a regular interval and that dumps out the data into a central file. Once the data is collected into an analysis tool like Excel, Access, or the like, you can create the reports needed to understand just what network security issues are arising.
It's not a bad idea to consider investing in a third party tool that provides a collection and reporting function. Among the several that you might want to consider is Symantec's Intruder Alert, GFI LANguard Security Event Log Monitor, and Adiscon's EventReporter. A free tool you might also try is DumpEvt from SystemTools.com, although this tool only provides collection into an Access template and not the reporting function that you need.
Barrie Sosinsky is president of consulting
company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer
topics. His company specializes in custom software (database and Web related), training and
This was first published in December 2003