How often do you view your Event Viewer?

[HTRegz]

Hey Hey,

I'll post on both for both home and work... My vote was for work.

I've got 2 servers at work, I check out their event viewer and my workstation event viewer daily.

When I'm at home I sometimes forget that it even exists... I check it when I have problems and that's about it... sometimes not even when I have problems.

Peace
HT

[|3lack|ce]

hokay - now why I voted once a month...

My firewall catches bad outside stuff that's happening as it occurs and alerts me to it.
My computer systems which have net access are shut down completely every night while I'm sleeping.
My spyware/av proggies can catch nasty crap that gets through when Mrs |ce is doing things without telling me...(like downloading those damn spyware laden screensavers! grrr).

So I look at the winblows event logs (assuming this is the event logs you're referring to) about once a month to see if there's anything that was missed, and to see how badly it spazzed out when this or that crash occurred, or this or that power-outage hit.

Nuff said and hope that helped.

[ric-o]

For my servers... I do similar things as Tedob1, where I dump them out into a text file which is saved on a central server and then parse them with a Perl script which looks for suspicious activity (re.; login failures, account re-enables, attempted login into disabled accounts, etc) and sends those suspicious entries to my team who reviews it every morning. Even when diagnosing an issue I will dump out the event log into text file before trying to use the crappy Win event log app.

We are starting to deploy syslog agents on all the Win servers and will point them at our centralized syslog server that has all the logs on it: firewall, ids, router, switches, *nix servers, and now Win servers. We then run Swatch against it along with custom scripts run adhoc.

For my workstations... only when there's a problem. Eventually we will point them to the syslog server but only send security alerts - nothing from system and app logs.

[Tedob1]

ric-o what syslog agent are you using? gfi has an app that looks rather good but its awful pricey for my budget, for right now anyway. im kinda thinking thay whatever TH13 is using is way outa range...is it TH?

[Spyrus]

Originally posted here by thehorse13
I pass off event viewer data to a central syslog server where it gets churned through an aggregation process and if there is something I need to worry about, the event climbs up my watch list display.
Checking event viewer logs (which kinda suck anyway) is not practical when you have thousands of servers to tend to and 20 times more workstations.

What application(s) are you using, I would be interested to look into something along these lines. While I am only responsible for 30 windows server (mighty small in comparison) I would be interested in finding a decent application for a fairly inexpensive price

Thanks,
-Spy

[Lv4]

hrm, that comment is a little disingenuous thehorse13 . You are indeed viewing them, just not personally. You have a centralized script that parses the information out and provides you with need to see information. I'm guessing you do this daily, or perhaps it is live... who knows besides you. But you /are/ viewing them, especially when you have a problem that needs to be seen by live eyes

I'm in that same boat too.We have way too many servers to go through the logs personally, so we have scripts that crawl the central log servers for us and alert us to information that we need to see. I also choose a random log from time to time to go through to make sure that things are running the way we want them to and they the scripts have not been subverted.

As far as my personal machine(s), I check the logs from time to time. There is nothing on those machines that I'm concerned with and if something goes south with them I will just format/reinstall anyway.

[Lv4]

Originally posted here by Spyrus
What application(s) are you using, I would be interested to look into something along these lines. While I am only responsible for 30 windows server (mighty small in comparison) I would be interested in finding a decent application for a fairly inexpensive price

Thanks,
-Spy

The solution we use here is not cheap by any stretch of the imagination. We use Cisco MARS to cull information for us.

At my previous job I wrote a perl script that parsed the information from a central server. We SCPd logs from the Windows side to a central server, ran a cron job that moved files around, tar'd stuff and deleted things that we didn't need any more. There was another cron job that ran the perl script that went through the log files and emailed out information that needed to be seen by someone. This was not a live system though, and we were always a day behind in log review.

[!mitationRust]

I know some of you are thinking this guy must wash his hands until they bleed too! Checking those logs for the home comp like I do. It's not like I have ever found something and then had it save me. But all my stuff is automated. I just happen to have it incorporated with my clear useless files-bat on boot. I don't really need to refine my quick n' dirty bats I make, that's my prerogative.

[code]@echo off
@cd\
@set usrpath="C:\Documents and Settings\%Username%\
@set usrpath2="C:\Documents and Settings\%Username%\Local Settings\
@echo.
@echo.
@IF EXIST %usrpath%Cookies\" @del %usrpath%Cookies\*.*" /F /Q /S
@IF EXIST %usrpath%Cookies\" @rd %usrpath%Cookies\" /Q /S
@IF NOT EXIST %usrpath%Cookies\" @md %usrpath%Cookies\"
::
@del %usrpath%temp\*.*" /F /Q /S
@rd %usrpath%temp\" /Q /S
@md %usrpath%temp\"
::
@del %usrpath%recent\*.*" /F /Q /S
@rd %usrpath%recent\" /Q /S
@md %usrpath%recent\"
::
@del %usrpath2%History\*.*" /F /Q /S
@rd %usrpath2%History\" /Q /S
@IF NOT EXIST %usrpath2%History\" @md %usrpath2%History\"
::
@del %usrpath2%Temp\*.*" /F /Q /S
@rd %usrpath2%Temp\" /Q /S
@md %usrpath2%Temp\"
::
@del %usrpath2%Temporary Internet Files\*.*" /F /Q /S
@rd %usrpath2%Temporary Internet Files\" /Q /S
@IF NOT EXIST %usrpath2%Temporary Internet Files\" @md %usrpath2%Temporary Internet Files\"
::
@del %usrpath%My Recent Documents\*.*" /F /Q /S
@rd %usrpath%My Recent Documents\" /Q /S
@md %usrpath%My Recent Documents\"
::
@del %usrpath2%History\History.IE5\*.*" /F /Q /S
@rd %usrpath2%History\History.IE5\" /Q /S
@IF NOT EXIST %usrpath2%History\History.IE5\" @md %usrpath2%History\History.IE5\"
::
@del "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\*.*" /F /Q /S
@rd "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" /Q /S
@IF EXIST "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" GOTO C1 @IF NOT EXIST "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\" @md "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\"
:C1
@IF EXIST C:\WINDOWS\Temp\ @del C:\WINDOWS\Temp\*.* /F /Q /S
@rd C:\WINDOWS\Temp\ /Q /S
@IF NOT EXIST C:\WINDOWS\Temp\ @md C:\WINDOWS\Temp\
::
@del "C:\WINDOWS\Temporary Internet Files\*.*" /F /Q /S
@rd "C:\WINDOWS\Temporary Internet Files\" /Q /S
@IF NOT EXIST "C:\WINDOWS\Temporary Internet Files\" @md "C:\WINDOWS\Temporary Internet Files\"
::
@del C:\WINDOWS\Cookies\*.* /F /Q /S
@rd C:\WINDOWS\Cookies\ /Q /S
@IF NOT EXIST C:\WINDOWS\Cookies\ @md C:\WINDOWS\Cookies\
::
@del C:\TEMP\*.* /F /Q /S
@rd C:\Temp\ /Q /S
@IF NOT EXIST C:\Temp\ @md C:\Temp\
::
@del C:\WINDOWS\Prefetch\*.* /F /Q /S
@rd C:\WINDOWS\Prefetch\ /Q /S
@IF NOT EXIST C:\WINDOWS\Prefetch\ @md C:\WINDOWS\Prefetch\
::
@del index.dat /s /f /q
::
@del *.tmp *.temp *.chk *.trc *.old *.scr *.$$$ *.~ *.~~~ /s /q /f
::
start eventvwr.exe
@exit

I can't view the security on boot with a limited account, unless I want to edit this bat a little and run task scheduler, which I don't want to.

[RoadClosed]

I don't know about you guys and gals but the event log should be clean. So checking them daily (unless you have say 1000) isn't a big deal. For instance I have one entry in mine today over and over.... disk has bad sector. That means in a bout a week or month this server will fail. So looking at those logs is critical when you get down to it. Unless you like those days when you get "OS not detected ...."

[thehorse13]

Doctor, this question wasn't directed at the network gods.....it's just Microsoft security awareness month for the mere mortals.

You will not persuade me with appeals to my intellectual vanity.