Windows Monitoring Server

[taiyed14]

I'm looking for some server software that will allow me to collect windows log on attempts, application crashes/errors and system events from computers on the network. I hope to monitor these logs for security breaches and attack attempts. Has anyone set something like this up? Could anyone suggest some preferable free or open source software?

[digininja]

I'm not a windows expert but I know that you can get login attempts recorded in the system log and I'd guess other stuff like crashes go in there too.

You can then probably access this info through WMI so you can share it over the network.

[digip]

Set up event logging and audit rules for the domain in group policy? Then check the event viewer for each machines logs.

start, run, "eventvwr.msc"

You can right click event viewer and connect to another machine to look at its logs.

[SETone]

At work i have set up Questsofts BigBrother.

But they are not free.

I also know there are a lots of scripts you can use to do almost what you want here.

Microsoft technet got some scripts you might want to take a look at:

http://www.microsoft.com/technet/scriptcen...t.mspx?mfr=true

And microsoft sysinternals got some tools.

this might be what you need?

PsLoglist

The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides.

Or if you got the support pack?, there is a Event Log Management Script tool (Eventlog.pl)

[TalioGladius]

Turn on audit success and failure login attempts in the local policy (gpedit.msc). Log in attempts will show up in the event viewer.

[taiyed14]

Wow, thanks for all the ideas and suggestions. I haven't yet looked into SETone's app suggestions, but what I'm looking for is software that will centralize all the logs to one machines. This way, I don't need too check every machines event log.

[SETone]

Wow, thanks for all the ideas and suggestions. I haven't yet looked into SETone's app suggestions, but what I'm looking for is software that will centralize all the logs to one machines. This way, I don't need too check every machines event log.

PsLogList is your tool. You can make a .bat file and fill inn all the commands needed to get the events from all your servers. Then make a Scheduled Tasks to run your .bat file as often as you want. :)

Using PsLogList

The default behavior of PsLogList is to show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records. Command line options let you view logs on different computers, use a different account to view a log, or to have the output formatted in a string-search friendly way.

usage: psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>

@file Execute the command on each of the computers listed in the file.

-a Dump records timestamped after specified date.

-b Dump records timestamped before specified date.

-c Clear the event log after displaying.

-d Only display records from previous n days.

-c Clear the event log after displaying.

-e Exclude events with the specified ID or IDs (up to 10).

-f Filter event types with filter string (e.g. "-f w" to filter warnings).

-h Only display records from previous n hours.

-i Show only events with the specified ID or IDs (up to 10).

-l Dump records from the specified event log file.

-m Only display records from previous n minutes.

-n Only display the number of most recent entries specified.

-o Show only records from the specified event source (e.g. \"-o cdrom\").

-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.

-q Omit records from the specified event source or sources (e.g. \"-q cdrom\").

-r SDump log from least recent to most recent.

-s This switch has PsLogList print Event Log records one-per-line, with comma delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i text, and for importing the output into a spreadsheet.

-t The default delimeter is a comma, but can be overriden with the specified character.

-u Specifies optional user name for login to remote computer.

-w Wait for new events, dumping them as they generate (local system only).

-x Dump extended data

eventlog eventlog

[VaKo]

Have you looked at System Center Essentials 2007?