IM looking for software to analyze event log

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

We have been having trouble with being hacked into twice now and im after
some software that can alalyze security event logs, i am auditing

account log on event
logon events
policy change

The logs are so longs and you have to go into each log to view who it was
that logged on etc, im looking for some software that can analyze it and
display it in an easy to view format.


also one other query i have is whats the differene between account logon and
logon event.

Thanks
3 answers Last reply
More about software analyze event
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Microsoft has the free Event Comb which can help in scanning multiple
    computer security logs for specific information. There are third party tools
    such as those from Languard that can help manage security logs also.

    http://www.gfi.com/lanselm/

    However you will find that you need to do some detective work yourself and
    evaluating your security practices. There is no "magic" tool that can
    analyze your security logs and tell you exactly what happened. Since you
    have been hacked twice already I would make sure that you have changed all
    administrator passwords, checked the membership of the administrator groups,
    enforce password complexity, enable an account lockout policy [ at least for
    now] that can be used as a primitive intrusion detection, check that your
    computers are current with critical updates, check your firewall
    configuration, and so on. Depending on how you have responded to these hacks
    you may still be vulnerable due to misconfiguration or an existing backdoor
    from the other attacks. Technet Security is a good place to start to learn
    how to secure your computers/network. The Microsoft Baseline Security
    Analyzer should be run on your computers to check for basic vulnerabilities.

    http://www.microsoft.com/technet/security/default.mspx


    Things to look for in the security logs are failed logons or logons from
    accounts at times that don't make sense - particularly administrator account
    and strange name computer accounts accessing your network. Your firewall
    logs might be helpful if you can correlate events by time of the attack and
    monitor for port/protocols that should not be making it into the network
    showing a problem with firewall configuration. I also highly recommend that
    you download and read the free from Microsoft - Antivirus in Depth guide. It
    has some excellent tips on how to try and track down exactly what happened
    using common tools to examine processes, port use, services, files created
    by date, etc.

    http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
    http://tinyurl.com/6xajr -- same link shorter.

    Account logon events are generated on the computer that authenticated a user
    for interactive logon. For a domain user that would be the domain controller
    that authenticated the user. For workstation computers it would be the
    computer itself. Logon events are recorded in the security log of a computer
    where a user has used his credentials to access the computer such as a local
    logon or network share [type 3 logon]. The link below will explain this much
    more and give you a better understanding of the auditing process. --- Steve

    http://www.microsoft.com/technet/security/guidance/secmod144.mspx

    "Nick" <andync55@hotmail.com> wrote in message
    news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
    > Hi
    >
    > We have been having trouble with being hacked into twice now and im after
    > some software that can alalyze security event logs, i am auditing
    >
    > account log on event
    > logon events
    > policy change
    >
    > The logs are so longs and you have to go into each log to view who it was
    > that logged on etc, im looking for some software that can analyze it and
    > display it in an easy to view format.
    >
    >
    > also one other query i have is whats the differene between account logon
    > and logon event.
    >
    > Thanks
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    From where I can obtain or download the Event Comb mentioned by Steven?

    "Steven L Umbach" wrote:

    > Microsoft has the free Event Comb which can help in scanning multiple
    > computer security logs for specific information. There are third party tools
    > such as those from Languard that can help manage security logs also.
    >
    > http://www.gfi.com/lanselm/
    >
    > However you will find that you need to do some detective work yourself and
    > evaluating your security practices. There is no "magic" tool that can
    > analyze your security logs and tell you exactly what happened. Since you
    > have been hacked twice already I would make sure that you have changed all
    > administrator passwords, checked the membership of the administrator groups,
    > enforce password complexity, enable an account lockout policy [ at least for
    > now] that can be used as a primitive intrusion detection, check that your
    > computers are current with critical updates, check your firewall
    > configuration, and so on. Depending on how you have responded to these hacks
    > you may still be vulnerable due to misconfiguration or an existing backdoor
    > from the other attacks. Technet Security is a good place to start to learn
    > how to secure your computers/network. The Microsoft Baseline Security
    > Analyzer should be run on your computers to check for basic vulnerabilities.
    >
    > http://www.microsoft.com/technet/security/default.mspx
    >
    >
    > Things to look for in the security logs are failed logons or logons from
    > accounts at times that don't make sense - particularly administrator account
    > and strange name computer accounts accessing your network. Your firewall
    > logs might be helpful if you can correlate events by time of the attack and
    > monitor for port/protocols that should not be making it into the network
    > showing a problem with firewall configuration. I also highly recommend that
    > you download and read the free from Microsoft - Antivirus in Depth guide. It
    > has some excellent tips on how to try and track down exactly what happened
    > using common tools to examine processes, port use, services, files created
    > by date, etc.
    >
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
    > http://tinyurl.com/6xajr -- same link shorter.
    >
    > Account logon events are generated on the computer that authenticated a user
    > for interactive logon. For a domain user that would be the domain controller
    > that authenticated the user. For workstation computers it would be the
    > computer itself. Logon events are recorded in the security log of a computer
    > where a user has used his credentials to access the computer such as a local
    > logon or network share [type 3 logon]. The link below will explain this much
    > more and give you a better understanding of the auditing process. --- Steve
    >
    > http://www.microsoft.com/technet/security/guidance/secmod144.mspx
    >
    > "Nick" <andync55@hotmail.com> wrote in message
    > news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
    > > Hi
    > >
    > > We have been having trouble with being hacked into twice now and im after
    > > some software that can alalyze security event logs, i am auditing
    > >
    > > account log on event
    > > logon events
    > > policy change
    > >
    > > The logs are so longs and you have to go into each log to view who it was
    > > that logged on etc, im looking for some software that can analyze it and
    > > display it in an easy to view format.
    > >
    > >
    > > also one other query i have is whats the differene between account logon
    > > and logon event.
    > >
    > > Thanks
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    It is available at the link below. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    "Chandrasekharran" <Chandrasekharran@discussions.microsoft.com> wrote in
    message news:E56D829E-7AA7-46C6-B0A8-BCF719ACD6E9@microsoft.com...
    > From where I can obtain or download the Event Comb mentioned by Steven?
    >
    > "Steven L Umbach" wrote:
    >
    >> Microsoft has the free Event Comb which can help in scanning multiple
    >> computer security logs for specific information. There are third party
    >> tools
    >> such as those from Languard that can help manage security logs also.
    >>
    >> http://www.gfi.com/lanselm/
    >>
    >> However you will find that you need to do some detective work yourself
    >> and
    >> evaluating your security practices. There is no "magic" tool that can
    >> analyze your security logs and tell you exactly what happened. Since you
    >> have been hacked twice already I would make sure that you have changed
    >> all
    >> administrator passwords, checked the membership of the administrator
    >> groups,
    >> enforce password complexity, enable an account lockout policy [ at least
    >> for
    >> now] that can be used as a primitive intrusion detection, check that your
    >> computers are current with critical updates, check your firewall
    >> configuration, and so on. Depending on how you have responded to these
    >> hacks
    >> you may still be vulnerable due to misconfiguration or an existing
    >> backdoor
    >> from the other attacks. Technet Security is a good place to start to
    >> learn
    >> how to secure your computers/network. The Microsoft Baseline Security
    >> Analyzer should be run on your computers to check for basic
    >> vulnerabilities.
    >>
    >> http://www.microsoft.com/technet/security/default.mspx
    >>
    >>
    >> Things to look for in the security logs are failed logons or logons from
    >> accounts at times that don't make sense - particularly administrator
    >> account
    >> and strange name computer accounts accessing your network. Your firewall
    >> logs might be helpful if you can correlate events by time of the attack
    >> and
    >> monitor for port/protocols that should not be making it into the network
    >> showing a problem with firewall configuration. I also highly recommend
    >> that
    >> you download and read the free from Microsoft - Antivirus in Depth guide.
    >> It
    >> has some excellent tips on how to try and track down exactly what
    >> happened
    >> using common tools to examine processes, port use, services, files
    >> created
    >> by date, etc.
    >>
    >> http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
    >> http://tinyurl.com/6xajr -- same link shorter.
    >>
    >> Account logon events are generated on the computer that authenticated a
    >> user
    >> for interactive logon. For a domain user that would be the domain
    >> controller
    >> that authenticated the user. For workstation computers it would be the
    >> computer itself. Logon events are recorded in the security log of a
    >> computer
    >> where a user has used his credentials to access the computer such as a
    >> local
    >> logon or network share [type 3 logon]. The link below will explain this
    >> much
    >> more and give you a better understanding of the auditing process. ---
    >> Steve
    >>
    >> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
    >>
    >> "Nick" <andync55@hotmail.com> wrote in message
    >> news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
    >> > Hi
    >> >
    >> > We have been having trouble with being hacked into twice now and im
    >> > after
    >> > some software that can alalyze security event logs, i am auditing
    >> >
    >> > account log on event
    >> > logon events
    >> > policy change
    >> >
    >> > The logs are so longs and you have to go into each log to view who it
    >> > was
    >> > that logged on etc, im looking for some software that can analyze it
    >> > and
    >> > display it in an easy to view format.
    >> >
    >> >
    >> > also one other query i have is whats the differene between account
    >> > logon
    >> > and logon event.
    >> >
    >> > Thanks
    >> >
    >>
    >>
    >>
Ask a new question

Read More

Security Microsoft Software Windows