The Logging Experts
The Logging Experts
Article created by Rainer Gerhards. Solving problems is closely related to alerting. As with alerting, actions are to be executed if a trigger condition exists. With problem-solving, these are actual corrective actions. Samples are deleting temporary files when disk space goes low or blocking an external IP address in a firewall in case an attack […]
Article created by Rainer Gerhards. In this scenario, the primary concern is to receive alerts if specific events happen. Of course, alerting is often used together with other scenarios as alerting alone does not provide in-depth analysis or storage of the captured events. Alerts can be generated by every running instance of MonitorWare Agent. As […]
The event log monitor service pulls events from the Windows event logs. In Windows’ default setup, the information contained in the logs is sparse and far from sufficient for security monitoring. If you are solely interested in checking system health, the default setting can be sufficient. If you are interested in security monitoring, you definitely […]
Article created by Rainer Gerhards. A hardened log host is a system that is especially configured to prevent malicious users from modifying any log data stored inside it. A hardened log host is especially useful if tampering with log data is to be avoided. Setting up a proper hardened host can definitely help if evidence […]
Article created by Rainer Gerhards. MonitorWare Agent can be used with standard firewalling. The product itself does not require any specific access privileges to network services like RPC or the like. The Windows networking support required is fully dependant on the needs of the network or security administrator. If a fully locked-down system is desired, […]
Article created by Rainer Gerhards. The Windows event log provides multiple evidence of potential intrusions. We will discuss what to look for when checking the event log. We have used Windows 10 while updating this text. There may be differences for other versions, so you might want to check if you are using a different […]
MonitorWare Agent can receive vital network status information from a variety of devices. As these devices are from many different vendors and have many different applications, it is impossible to provide detailed configuration information for all of them. We provide configuration information for some well-known devices. Hopefully, the samples will provide some idea of how […]
In this scenario, an event log monitor is used to forward all events written to the NT Event Log to a SETP server. This is another instance of the MonitorWare Agent, typically running at a central hub system. This instance receives the event data generated by the sending MonitorWare Agent/EventReporter and can then act accordingly […]
Article created by Rainer Gerhards. In this scenario, a simple syslog server will be created. No other services are configured. The syslog server will operate as a standard syslog server on the default port of 514/UDP. All incoming data will be written to a single text file. Step 1 – Defining a Rule Set for […]
Created by Wajih-ur-Rehman. I entered my license information through the client interface but it still says that it is a “trial version”. How to solve this problem? Following are some of the reasons for your problem: If your license name does not have a space at the end, make sure that you dont put the […]