Event Log Analysis

@Hearth

I need to be able to monitor/review IIS activity and Active Directory access.

What server are you using? If you are using window server 2008 or the new window server 2011. It does monitor/review IIS activity and Active Directory access. If you create a branch ping each computer and input the ip address and put a qouta on how many people can access a server that has sensitive information. You monitor/review each computer. if someone try to go to access the server it will denied that access plus it will automaticly logoff the computer.

I'm not here to argue with you just want to gave my experience of doing that. Whatever happaned last time was in the past.

@Mitch

Thanks. We are mostly on older WS2003 Servers. Its not he logging itself that is a problem, the logs are catching all the information I need. What I am looking for is a tool to analyse the logs, and make them more easily human readable with the ability to filter for specific types of data and highlight patterns of activity. I have scripts I use for our linux servers and firewall logs, but I'm looking for a good easy way to do this with the Windows event logs.

You might want to have a look at the free log parser tool from Microsoft which can be downloaded here

Hearth,

In addition to using a single tactical tool, you may consider implementing Microsoft's System Center Operations Manager (SCOM) if there is a business case for it.

One of the features of SCOM is that it allows you to centrally manage the event logs for your servers and use "Management Packs" to trigger alerts for target items found within the server logs. SCOM has support for IIS, AD, DNS, Exchange, etc...

The Management packs already come prebuilt but can be modified, or you can even build your own packs if you needed some type of custom solution in rare cases.

@Hearth

Window 2003 is bit old. But does monitor activities.

Basicaly, I want to be able to filter by types of entries or content, and search. If it has some smarts built in for things like highlighting suspicious behaviour that would be great too. I need to be able to monitor/review IIS activity and Active Directory access.

-

What I am looking for is a tool to analyse the logs, and make them more easily human readable with the ability to filter for specific types of data and highlight patterns of activity.

Base on what you mention above, you want to know how to keep track of sensitive files that were be created, opened, or deleted files or other objects.

I think this is what you are looking for:

http://support.microsoft.com/kb/814595

It's call Audit Active Directory Objects in Windows Server 2003.

This will defintely help you do that.

Also download the link that JIm provided (because I was about to post it) too

@Mitch

Thanks for the ideas. I do know about AD Auditing, but its more on the post-analysis of the resulting logs that I'm looking for. Also, I am more interested in network based access (AD Authentication entries for instance) than File level activity.

@Jorge

I think that SCOM is probably a lot bigger than we need, but I will look further into its log alert capabilities and see if there is enough value for me to justify including it in our planned server upgrade.

@Jim

Thanks, it looks like that tool might do what I need for the time being. I've downloaded and will give it a try.

---

Any more ideas or 3rd party tools I'd love to hear about, but I'll go ahead and mark this solved now. Thanks all.