Depends. IntersectAlliance has their Snare client, which syslogs your eventlog either locally (useless) or to a remote syslog server (priceless!) and you can filter what you want to watch in the event logs. There's also NTSyslog, and a few others.
For the syslog server, I can recommend the Kiwisoft syslog server, as cheap (or free, but it's cheap enough that you should get the pay version) and very nice. On Thu, Oct 30, 2008 at 2:54 PM, Clubber Lang <[EMAIL PROTECTED]> wrote: > I'd like to be able to proactively watch for these events in the security > logs of about 50 computers in one domain. > > This product looks good: > > http://www.eventlogxp.com/ > > Can anyone recommend it or a competitor? > > > On Thu, Oct 30, 2008 at 4:59 AM, Ziots, Edward <[EMAIL PROTECTED]> wrote: >> >> I agree but rootkits can hide the true intention of what is going on in >> the system and subvert anything you are seeing in the gui or logs, and >> its going to be pretty hard to tell what is legit and what isn't when >> you have a kernel rootkit on your system. Abeit there might be a >> few-tell-table signs. If its been compromised, incident response >> measures should be put in place the system quarantined, wiped and >> rebuilt from trusted media. >> >> Z >> >> Edward E. Ziots >> Network Engineer >> Lifespan Organization >> MCSE,MCSA,MCP,Security+,Network+,CCA >> Phone: 401-639-3505 >> -----Original Message----- >> From: Ken Schaefer [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, October 29, 2008 7:46 PM >> To: NT System Admin Issues >> Subject: RE: Unknown account created and added to local admins group >> >> Let's not get carried away with talk of a "rootkit" here. >> >> It could be a compromise. But rootkits are there to change the behaviour >> of the Windows kernel (hence "root" kit). For all we know, this is just >> a process running as LocalSystem (e.g. any number of services) that >> performed the changes. Still looks like a compromise. >> >> Cheers >> Ken >> >> > -----Original Message----- >> > From: Phil Brutsche [mailto:[EMAIL PROTECTED] >> > Sent: Thursday, 30 October 2008 6:17 AM >> > To: NT System Admin Issues >> > Subject: Re: Unknown account created and added to local admins group >> > >> > I bet that's what the event log would look like if a rootkit running >> as >> > SYSTEM added local administrator accounts... >> > >> > Clubber Lang wrote: >> > > Thanks, James. Yeah, the user was the same for all events: NT >> > > AUTHORITY\SYSTEM >> > > >> > > 624 - User Account Created - 9:19:13 AM >> > > 626 - User Account Enabled - 9:19:13 AM >> > > 642 - User Account Changed - 9:19:13 AM >> > > 628 - User Account Password Set - 9:19:13 AM >> > > 636 - Security Enabled Local Group Member Added - 9:19:14 AM >> > > 637 - Security Enabled Local Group Member Removed - 9:21:28 AM >> > > 633 - Security Enabled Global Group Member Removed - 9:21:28 AM >> > > 630 - User Account Deleted - 9:21:28 AM >> > >> > -- >> > >> > Phil Brutsche >> > [EMAIL PROTECTED] >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
