As part of your overall security efforts, you need to know which resources are available on your systems and how those resources are being used. It's important to monitor log files, and, in some cases, consolidate and generate log files—and some add-on tools can significantly simplify the task. In poking around the Internet recently, I found several tools that you might want to consider using in your Windows network environments. Most of the tools address log files, and one tool enumerates system characteristics on local and remote systems.
First, consider Purdue University Engineering Computer Network's Eventlog to Syslog, a utility that runs on Windows and monitors event logs, reformats the log entries, and sends them to a UNIX-based syslog service for centralized collection. This utility helps administrators who use UNIX as their main desktop monitor events that take place on Windows-based systems.
Second, consider SecurIT Informatique's LogAgent, another tool designed to centralize log files. LogAgent can gather text-based logs from just about any type of software and centralize those logs in one or more locations. For example, you can use the tool to gather and monitor text-based logs such as firewall logs, antivirus software logs, download managers, and content-screening software—without having to look at each one through that software's particular software interface.
A third tool to consider—also available from SecurIT Informatique—is ComLog. This tool lets you introduce logging in a place in which logging might otherwise be impossible: in a Windows command shell. ComLog monitors everything that happens in a Windows command shell and logs it to a file. ComLog is written in Perl and compiled with Perl2Exe. The program replaces the cmd.exe file on your Windows systems and becomes a front end to that file. After ComLog is in place, the program captures all keystrokes and command output and writes the data to date-stamped log files for your review.
Another tool, Foundstone's FileWatch, monitors files by detecting file-size changes and write operations. The tool can monitor log files for changes and produce a separate application when it detects changes. For example, you can use it to monitor firewall logs or logs from ComLog and LogAgent. You could also use Filewatch to send administrative alerts (through email or pager software) when file changes occur. Or you could use the tool to initiate other actions, such as shutting down services or network connections or starting data capture programs.
Foundstone's NTLast lets you monitor Windows event logs (including saved log files) for logon information. You can use it to perform date-driven searches, filter based on hosts, distinguish data logged by Web servers, and produce formatted output suitable for Microsoft Excel spreadsheets.
Finally, check into SourceForge's Winfingerprint. This tool determines OS type and can enumerate users, groups, shares, SIDs, network transports, disk drives, sessions, and services. Winfingerprint can also determine service pack and hotfix levels and discover any open TCP and UDP ports. It works with Windows NT domains and Active Directory (AD) network structures and can interrogate remote systems based on a range of IP addresses.
Be sure to consider these and other log-related and system-enumeration utilities. Of course, this brief list of utilities can't be more than a sampling. If you're a security administrator who has found a tool that's particularly useful in managing log files or enumerating system resources, I'd like to hear about it. Such tools help administrators become aware of suspicious events and activities that might otherwise go completely unnoticed—or go unnoticed until damage has been done.
