> 1. Is there any way to identify these machines - form > where it was tried ?
Now? No. Depending on your architecture, you might have some info in DHCP, WINS, or firewall logs that would be of use. > 2. Is there any way to monitor these servers and alert > generated if any unsucessful attaepmt? ( I know we can > implement IDS and acieve this. But any special tool > for NT other than IDS. Also if IDS is the only > solution then which is the best IDS)? For IDS, I'd recommend snort...it's free, pretty easy to use, and runs on NT/2K, if that's what you need. Regarding your solution...I've written Perl scripts that may be of interest. Go to: http://patriot.net/~carvdawg/perl.html The script 'wmievt.pl' uses WMI to implement an app that listens for Events...it doesn't poll, so very little CPU time is consumed as it 'waits'. Using the skeleton code, you can include filters for specific event IDs. Using other modules, this code can be written as an NT service, as well as send alerts out via email, syslog, etc. For the above code to work, you need to have WMI classes from Microsoft installed on NT. If you don't want to do that, I have some Perl code that uses another implementation that will do the same thing on NT... Another possible solution is to use something like NTSyslog to send the EventLog entries out to a centralized server, and then use Kiwi Enterprises' Syslog Daemon...even the free version allows for email alerts. HTH, Carv __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com