Background & Standards

• Logging and Audit Overview
• Specifications and Standards
• Archiving Secure Audit Files
• Programming syslog

Logging Infrastructure

• Centralized Logging
• syslog Replacements (UNIX)
• syslog Servers (non-UNIX)
• UNIX & related (routers, FWs) to syslog
• Windows to syslog
• Logfile Rotation Tools

Data Analysis

• Log Parsers (App Specific)
• Log Parsers (Generic)
• Regular Expressions
• Data Correlation
• Sample Log Files
• Intrusion Signatures
• Message Dictionaries
• Messages that Made Us Laugh

Resources

• Mailing Lists
• Research

Windows to syslog

syslog Client Configs for Windows/Non-UNIX

• tbird’s collection of syslog client configurations

Documentation on Windows Auditing and Logging

• Miscellaneous Notes on Windows Logging, by tbird
• Microsoft Security - Threats and Countermeasures Guide: Audit Policy - Describes event categories and the messages they generate.
• Microsoft Security - Threats and Countermeasures Guide: the Event Log
• Windows XP - Auditing security events
• Understanding Windows Logging
• How to Enable Security Logging in Windows XP
• Logging and Intrusion Detection on Windows 2000 - Microsoft guide to logging. Specific to Win2000 but has lots of useful information on pattern matching for detecting intrusions
• Archiving and Analyzing the NT Security Log
• Auditing Windows 2000
• Automated Auditing in a Windows 2000 Environment by Steve Elky. Hosted by SANS. A painfully thorough explanation of the Win2k audit structure and philosophy. Really helpful if you’re worried about securing Win2k domains and active directory servers.
• Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized
  Audit Logging - from the SANS reading room

• Dealing with Windows NT Event Logs: part 1 and part 2
• Selecting
  audit events for Windows NT 4.0 registry keys

• Selecting
  WinNT/4.0 event log settings

• WinNT Attack Tools & Log Data

Event Log to syslog Manager

• BackLog — The last version of BackLog is fully supported on Windows NT, 2000 and XP, but see Snare for its new incarnation.
• Kiwi Logger is a Windows console-mode utility. It is designed to enable an application to send text messages via the command line to a syslog Daemon such as the Kiwi Syslog Daemon.
• Another Windows-to-syslog tool: NTsyslog
• EventReporter
  • Review of EventReporter
  • Forwarding Windows Events via stunnel to a UNIX/Linux syslogd
• Monitorware Agent
  • Comparison of Adiscon’s Windows logging products
• evlogsys.pl: A Perl script that scans NT Event Logs periodically and sends new entries via UDP syslog. It runs as a service with Domain Administrator privileges. It depends on the Perl modules Win32::EventLog and Win32::NetAdmin. The Web page also includes a sample configuration file, the source code for logtail (a program that performs periodic checks of syslog data, amd logger.h, C++ support for syslog functions.
  Contact Hal Snyder for more information.
• SL4NT
• SNARE Agent for Windows: Collects, filters and forwards Windows Event Log data to a Snare server or to any remote sysloghost.
• Win32::EventLog: the EventLog module contained in the Perl libwin32 distribution parses EventLog messages.
• Writing arbitrary messages from Windows boxes to syslog
• An RFC 3195 Implementation for Windows

Logging in Microsoft Internet Information Services

• Microsoft IIS 5.0: Performance Tuning and Monitoring
• How to Configure ODBC Logging in IIS 4.0 and 5.0
• Snare for IIS: forwards Microsoft Internet Information Services logs to a log server. GPL software. Previously known as Backlog for IIS.
• How to Enable IIS Logging Site Activity in Windows 2000
• How to Configure Web Site Logging in Windows Server 2003
• IIS Custom logging format documentation
• A surprisingly useful ZDnet article about how to customize logging in IIS
• How to use SQL Server to Analyze Web Logs
• MonitorWare Agent - Third party application produced by the developers of EventReporter that can forward Windows text-based log files — Internet Information Services, etc — to a central syslog host
• IISLogger - (In development) Enhances the native logging within IIS to include useful data for forensics and troubleshooting.
• Review of IIS logging options for HTTP and FTP transactions within Internet Information Services

Miscellaneous Useful Links & Tools

• OUTWIT: Data Manipulation tools for Windows application and system data. Includes readlog for access to Event Log data.
• rlogger - Joshua Wright <Joshua.Wright@jwu.edu> wrote this tool to generate a login message each time a student sits down at a workstation. This is far easier to maintain than enabling event logging on countless Windows workstations and converting event logs to syslog messages
  http://home.jwu.edu/jwright/code/rlogger-0.2.tgz
  http://home.jwu.edu/jwright/code/rlogger-0.2.tgz.md5
  http://home.jwu.edu/jwright/code/rlogger-0.2-win.zip
  http://home.jwu.edu/jwright/code/rlogger-0.2-win.zip.md5
• Choosing forwarders in Windows A useful link for Splunk users choosing an approach to collect windows logs.