RE: [ActiveDir] security event log audits
I wrote a nice little fortune cookie program years ago for when your PC starts up, however I am still planning on looking at MACS. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 17, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I also wrote a lot of things many years ago ;-) I'd still have a closer look at MACS today... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Dienstag, 16. März 2004 20:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] security event log audits >Date: Tue, 16 Mar 2004 19:40:02 +0100 >MIME-Version: 1.0 >Received: from mail.activedir.org ([64.245.160.7]) by >mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar >2004 10:40:40 -0800 >Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by >mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 >Mar >2004 13:40:07 -0500 >Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by >bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for ><[EMAIL PROTECTED]>; Tue, 16 Mar 2004 19:37:32 +0100 (CET) >Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id >; Tue, 16 Mar 2004 19:40:06 +0100 >X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe >Message-ID: <[EMAIL PROTECTED]> >X-Mailer: Internet Mail Service (5.5.2657.72) >Precedence: bulk >Return-Path: [EMAIL PROTECTED] >X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) >FILETIME=[2EAA6A60:01C40B86] > >MACS (MS Audit Collector System) will do all of that for you and likely >much more efficient than what you'd do yourself (and more secure as >well) - should be released soon (I think with 2003 SP1) > >/Guido > > _ > >From: Creamer, Mark [mailto:[EMAIL PROTECTED] >Sent: Dienstag, 16. März 2004 19:18 >To: [EMAIL PROTECTED] >Subject: [ActiveDir] security event log audits > > > >Has anyone had success putting together something home-grown to >centralize security event logs into a sql database? If so, I wanted to >get some tips on how the tables should be set up - can all events that >are captured in the security log be placed in the same table, or do >different events have their own structure and would have to go into >separate tables? > > > >Also, I'm familiar with EventCombMT and eldump - are there any other >tools I should be considering to pull the data? I'm assuming I'll need >to use something like one of those to act as the middleware between the >logs and the database. > > > >Thanks... > > > >Mark Creamer > >Systems Engineer > >Cintas Corporation > >Honesty and Integrity in Everything We Do > > > _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I also wrote a lot of things many years ago ;-) I'd still have a closer look at MACS today... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stefano tufillaro Sent: Dienstag, 16. März 2004 20:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] security event log audits >Date: Tue, 16 Mar 2004 19:40:02 +0100 >MIME-Version: 1.0 >Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com >with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 >Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by >mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar >2004 13:40:07 -0500 >Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by >bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for ><[EMAIL PROTECTED]>; Tue, 16 Mar 2004 19:37:32 +0100 (CET) >Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id >; Tue, 16 Mar 2004 19:40:06 +0100 >X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe >Message-ID: <[EMAIL PROTECTED]> >X-Mailer: Internet Mail Service (5.5.2657.72) >Precedence: bulk >Return-Path: [EMAIL PROTECTED] >X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) >FILETIME=[2EAA6A60:01C40B86] > >MACS (MS Audit Collector System) will do all of that for you and likely >much >more efficient than what you'd do yourself (and more secure as well) - >should be released soon (I think with 2003 SP1) > >/Guido > > _ > >From: Creamer, Mark [mailto:[EMAIL PROTECTED] >Sent: Dienstag, 16. März 2004 19:18 >To: [EMAIL PROTECTED] >Subject: [ActiveDir] security event log audits > > > >Has anyone had success putting together something home-grown to centralize >security event logs into a sql database? If so, I wanted to get some tips >on >how the tables should be set up - can all events that are captured in the >security log be placed in the same table, or do different events have their >own structure and would have to go into separate tables? > > > >Also, I'm familiar with EventCombMT and eldump - are there any other tools >I >should be considering to pull the data? I'm assuming I'll need to use >something like one of those to act as the middleware between the logs and >the database. > > > >Thanks... > > > >Mark Creamer > >Systems Engineer > >Cintas Corporation > >Honesty and Integrity in Everything We Do > > > _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
I wrote it four year ago. A Windows NT Service on every machine send the information (every eventlog section ) to a database ODBC connected (Oracle, MSSQlserver, DB2, MySql etc.) I wrote also the client administrative to setup, install, modify configuration and interrogate the datbase, produce reports (Crystal, Html, PDF etc.) and also send script as soon as a program to modify the system from remote location. From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits Date: Tue, 16 Mar 2004 19:40:02 +0100 MIME-Version: 1.0 Received: from mail.activedir.org ([64.245.160.7]) by mc2-f10.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Mar 2004 10:40:40 -0800 Received: from bbnrelint01.net.external.hp.com [192.6.76.88] by mail.activedir.org with ESMTP (SMTPD32-8.05) id AA071D5B0150; Tue, 16 Mar 2004 13:40:07 -0500 Received: from isar.bbn.hp.com (isar.bbn.hp.com [15.140.168.13])by bbnrelint01.net.external.hp.com (Postfix) with ESMTP id 0C6D137C90for <[EMAIL PROTECTED]>; Tue, 16 Mar 2004 19:37:32 +0100 (CET) Received: by isar.bbn.hp.com with Internet Mail Service (5.5.2657.72)id ; Tue, 16 Mar 2004 19:40:06 +0100 X-Message-Info: yilqo4+6kc42bID0SLkQu4MzXVSilpwe Message-ID: <[EMAIL PROTECTED]> X-Mailer: Internet Mail Service (5.5.2657.72) Precedence: bulk Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Mar 2004 18:40:40.0966 (UTC) FILETIME=[2EAA6A60:01C40B86] MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido _ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
Short answer: Yes More detailed info: http://www.windowsboston.com/downloads/doc/MACS_beta_Overview.doc Hope that helps :) r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, Mike Sent: Tuesday, March 16, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] security event log audits Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] security event log audits
Will this work for Win2k servers also? Mike From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
Ahhh…I forgot about that coming. Thanks Guido! -Original Message- From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 16, 2004 1:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] security event log audits MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18 To: [EMAIL PROTECTED] Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] security event log audits
MACS (MS Audit Collector System) will do all of that for you and likely much more efficient than what you'd do yourself (and more secure as well) - should be released soon (I think with 2003 SP1) /Guido From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 16. März 2004 19:18To: [EMAIL PROTECTED]Subject: [ActiveDir] security event log audits Has anyone had success putting together something home-grown to centralize security event logs into a sql database? If so, I wanted to get some tips on how the tables should be set up - can all events that are captured in the security log be placed in the same table, or do different events have their own structure and would have to go into separate tables? Also, I'm familiar with EventCombMT and eldump - are there any other tools I should be considering to pull the data? I'm assuming I'll need to use something like one of those to act as the middleware between the logs and the database. Thanks... Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do