The Logging Experts
Article created by Rainer Gerhards. The Windows event log provides multiple evidence of potential intrusions. We will discuss what to look for when checking the event log. We have used Windows 10 while updating this text. There may be differences for other versions, so you might want to check if you are using a different […]
MonitorWare Agent can receive vital network status information from a variety of devices. As these devices are from many different vendors and have many different applications, it is impossible to provide detailed configuration information for all of them. We provide configuration information for some well-known devices. Hopefully, the samples will provide some idea of how […]
In this scenario, an event log monitor is used to forward all events written to the NT Event Log to a SETP server. This is another instance of the MonitorWare Agent, typically running at a central hub system. This instance receives the event data generated by the sending MonitorWare Agent/EventReporter and can then act accordingly […]
Article created by Rainer Gerhards. In this scenario, a simple syslog server will be created. No other services are configured. The syslog server will operate as a standard syslog server on the default port of 514/UDP. All incoming data will be written to a single text file. Step 1 – Defining a Rule Set for […]
Created by Wajih-ur-Rehman. I entered my license information through the client interface but it still says that it is a “trial version”. How to solve this problem? Following are some of the reasons for your problem: If your license name does not have a space at the end, make sure that you dont put the […]
Created by Wajih-ur-Rehman. Overview This paper explains you the Rule Engine that is employed in some of the MonitorWare Line of Products namely MonitorWare Agent, WinSyslog and Event Reporter 6.0 (and higher) What is Rule Engine Rule Engine is actually an engine present in the above mentioned MonitorWare Line of Products using which you can […]
Created by Wajih-ur-Rehman. Overview This paper is not an in depth paper about syslog. It simply gives you an overview and a broader picture about the Syslog Protocol and its architecture. If you are interested in in-depth details about Syslog, I would strongly suggest you to go through RFC: 3164.
By Rainer Gerhards Abstract This paper describes the IIS workflow (aka “order of operations”) as far as the author thinks it is. I have tried hard to make the information as complete and accurate as possible, but obviously it might be wrong as I haven’t coded IIS. All information in this paper is taken from […]
Important Preface! This document bases on information and testing done with IIS 1.0. We have not re-tried it with later versions. However, we feel very comfortable with the information contained herein and think that it still is correct. There is just one exception: if you create an application in MMC under IIS 4.0, your ISAPI […]
By Rainer Gerhards Why care about Password Attacks Windows servers and workstations have become a primary target for malicious users. Be it hackers that try to deface a web site, the Warez community in search for “free” FTP server space or just your internal users interest in restricted files. One common thing about them is […]