Sunday, August 2, 2009

Security Event Logs - Windows 2008 and Nagios



Have you ever wondered what does Event 4790 or 4767 in your security audit is all about? Well, i do, but i don't know many many more.

These IDs are super important, say for instance the famous 4740. This event ID should always be tracked. Why? It means someone's ID is locked out and it could be an impersonator. It is important to get this and many many more IDs in Windows security auditing enabled in your corp net. If you have one server, eh, fine.. if you have 100 now the question is, how can we automate, pickup and evaluate "right" problems/threats.

I would recommend Nagios. With this puppy, you can simply put out all events, do filter, say for instance, get all 4740 with the username "Bob Hope". Bob, is your CEO and if his account is locked out, we better sort it out.

So, with free form queries, a little guide from Microsoft (see link below) and some consulting from us (fat grin), you can achieve a powerful, centralized, "intelligent" security event log correlator solution for nuts (no license cost). Really, Nagios is free.

In my next post, i will show a litle how i query a Windows 2008 server to filter out Bob Hope's event 4740 and give me a "state" CRITICAL, send an email out or an SMS immediately.

Nagios and this tiny events plug-in and 8MB agent on your 2008 server/workstation, we can:
  • Selection criteria can be defined to filter from most eventlog fields
  • Criteria can be defined using a FIELD:VALUE pairs
  • AND/OR operations can be employed to create complex filtering rules
  • Choose to INCLUDE or EXCLUDE eventlog records
  • Define the time period for which events you are after
  • Either trigger on most CRITICAL alert in defined time period or trigger on LASTEST event status (useful for checking of backups)
Which brings you and i to a tool, a powerful monitoring tool, to a powerful security collaborative tool.

Also, if you wish to know more about the events in Windows 2008 and Vista, check out this guide from MS Support: http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226

1 comment:

Anonymous said...

Thanks for the post

waiting for your next one

Aleem