Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Centralizing Event Viewer Logs

from [Kosala Atapattu] Network Security [Permanent Link]
Subject: Re: Centralizing Event Viewer Logs
Date: Fri, 1 Feb 2008 22:29:03 +0300 
Hi,

If you get it on a Linux or a certain Unix boxes where there are file
system level access controls to prevent modifications, that'll be
enough.

For Example: Linux ext2 FS has the acl to allow logfiles only to opens
with append only, you can search for lsattr, chattr commands. This
feature I have used with Linux and AIX (JFS2).

Theoratically there is no way you can hide things from the sysadmin (I
mean real sysadmins). Even if you encrypt it, still the sysadmin will
have the private key to decrypt it.

Cheers,

Kosala

On Jan 30, 2008 1:28 AM, S D Fisher <fuzzlecat@comcast.net> wrote:

How does one then protect the syslog server from tampering?
The second part of the requirement (usually) is some sort of encryption or
hashing process that
protects the collected logs on the syslog server from even the admins.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Ron Johnson - Adhost
Sent: Tuesday, January 29, 2008 3:27 PM
To: Kurt Buff
Cc: focus-ms@securityfocus.com

Subject: RE: Centralizing Event Viewer Logs

Thanks for all the quick input folks. I will definitely look into each
solution.


-Ron

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@gmail.com]
Sent: Tuesday, January 29, 2008 12:24 PM
To: Ron Johnson - Adhost
Cc: focus-ms@securityfocus.com
Subject: Re: Centralizing Event Viewer Logs

There are several alternatives, but I've settled on the Kiwisoft
syslog server (the free version is fine, but the pay version is cheap
and does some very nice extra things) and the IntersectAlliance Snare
syslog client. The Snare client takes each event entry, formats it to
a single line, then sends it to the syslog server. Install it on each
of your machines for which you are monitoring event logs, and it works
nicely.

On Jan 29, 2008 11:51 AM, Ron  Johnson - Adhost <ron@adhost.com> wrote:

Hello List:

I was looking into options that will allow us to centralize Event

Viewer

Logs in an Active Directory domain - can anyone recommend any software
for this? It would be great if we could find a piece of software that
does just this - not a full blown enterprise security solution that
cost$ and does many other things that we wouldn't use it for
necessarily.

Thanks!



__________ NOD32 2232 (20070430) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com







-- 
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Centralizing Event Viewer Logs, Kosala Atapattu
Next by Date:  RE: Fwd: Centralizing Event Viewer Logs, James Winzenz
Previous by Thread:  Re: Centralizing Event Viewer Logs, Kosala Atapattu
Next by Thread:  SecurityFocus Microsoft Newsletter #379, rkeith
Indexes:  [Date] [Thread] [Top] [All Lists]