Documentation on Windows Auditing and Logging
- Miscellaneous Notes on Windows Logging, by tbird
- Microsoft Security - Threats and Countermeasures Guide: Audit Policy - Describes event categories and the messages they generate.
- Microsoft Security - Threats and Countermeasures Guide: the Event Log
- Windows XP - Auditing security events
- Understanding Windows Logging
- How to Enable Security Logging in Windows XP
- Logging and Intrusion Detection on Windows 2000 - Microsoft guide to logging. Specific to Win2000 but has lots of useful information on pattern matching for detecting intrusions
- Archiving and Analyzing the NT Security Log
- Auditing Windows 2000
- Automated Auditing in a Windows 2000 Environment by Steve Elky. Hosted by SANS. A painfully thorough explanation of the Win2k audit structure and philosophy. Really helpful if you're worried about securing Win2k domains and active directory servers.
- Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room
- Dealing with Windows NT Event Logs: part 1 and part 2
- Selecting audit events for Windows NT 4.0 registry keys
- Selecting WinNT/4.0 event log settings
- WinNT Attack Tools & Log Data
Event Log to syslog Translators
- BackLog -- The last version of BackLog is fully supported on Windows NT, 2000 and XP, but see Snare for its new incarnation.
- Kiwi Logger is a Windows console-mode utility. It is designed to enable an application to send text messages via the command line to a syslog Daemon such as the Kiwi Syslog Daemon.
- Another Windows-to-syslog tool: NTsyslog
- EventReporter
- Monitorware Agent
- evlogsys.pl: A Perl script that scans NT Event Logs periodically and sends new entries via UDP syslog. It runs as a service with Domain Administrator privileges. It depends on the Perl modules Win32::EventLog and Win32::NetAdmin. The Web page also includes a sample configuration file, the source code for logtail (a program that performs periodic checks of syslog data, amd logger.h, C++ support for syslog functions. Contact Hal Snyder for more information.
- SL4NT
- SNARE Agent for Windows: Collects, filters and forwards Windows Event Log data to a Snare server or to any remote syslog host.
- Win32::EventLog: the EventLog module contained in the Perl libwin32 distribution parses EventLog messages.
- Writing arbitrary messages from Windows boxes to syslog
- An RFC 3195 Implementation for Windows
Logging in Microsoft Internet Information Services
- Microsoft IIS 5.0: Performance Tuning and Monitoring
- How to Configure ODBC Logging in IIS 4.0 and 5.0
- Snare for IIS: forwards Microsoft Internet Information Services logs to a log server. GPL software. Previously known as Backlog for IIS.
- How to Enable IIS Logging Site Activity in Windows 2000
- How to Configure Web Site Logging in Windows Server 2003
- IIS Custom logging format documentation
- A surprisingly useful ZDnet article about how to customize logging in IIS
- How to use SQL Server to Analyze Web Logs
- MonitorWare Agent - Third party application produced by the developers of EventReporter that can forward Windows text-based log files -- Internet Information Services, etc -- to a central syslog host.
- IISLogger - (In development) Enhances the native logging within IIS to include useful data for forensics and troubleshooting.
- Review of IIS logging options for HTTP and FTP transactions within Internet Information Services
Miscellaneous useful links & tools
- OUTWIT: Data Manipulation tools for Windows application and system data. Includes readlog for access to Event Log data.
- rlogger
- Joshua Wright <Joshua.Wright@jwu.edu>
wrote this tool to generate a login message each time a student sits
down at a workstation. This is far easier to maintain than enabling
event logging on countless Windows workstations and converting event
logs to syslog messages
http://home.jwu.edu/jwright/code/rlogger-0.2.tgz
http://home.jwu.edu/jwright/code/rlogger-0.2.tgz.md5
http://home.jwu.edu/jwright/code/rlogger-0.2-win.zip
http://home.jwu.edu/jwright/code/rlogger-0.2-win.zip.md5
Learn
Log
Analysis!
(Bonus: Now You can download Tbird's SANS Webcast Slides)