Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Windows 2008 Events

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> Windows 2008 Events Page: [1]
Login
Message << Older Topic   Newer Topic >>
Windows 2008 Events - 19.Dec.2008 7:22:55 PM   
Drinian

 

Posts: 10
Score: 0
Joined: 18.Apr.2005
Status: offline 		Hey All -

I'm monitoring a bunch of servers ranging from Windows 2000 through Windows 2008. Unfortunately, however, it appears that all of the event IDs have changed in Windows 2008 so the rules that I had in place for the Windows 2000/2003/R2 servers no longer work.

Short of editing each and every event and including the new Windows 2008 event id (assuming one could even find a one to one mapping), is there any other solution here? Has GFI updated the event definitions to include Windows 2008 events?

thanks!
Post #: 1
RE: Windows 2008 Events - 21.Dec.2008 12:07:49 AM   
LeoSanchez

 

Posts: 116
Score: 0
Joined: 28.Apr.2008
Status: offline 		Hello Drinian,

GFI EventsManager has pre-configured processing rules which allows for the collection of events on a Windows 2008 server.

Also, please note that in order to collect EVT logs from a Windows 2008 server GFI EventsManager must be installed on a Windows 2008 or Vista OS.

_____________________________

Regards,

Leo - Technical Support
GFI Software - www.gfi.com

(in reply to Drinian)
Post #: 2
RE: Windows 2008 Events - 21.Dec.2008 1:51:07 PM   
Drinian

 

Posts: 10
Score: 0
Joined: 18.Apr.2005
Status: offline 		Hey Leo -

I appreciate the quick response but unfortunately I don't think what you said is working in my case. I am running the latest build of GFI EM on Windows 2008.

For example, I have a rule that specifically looks for event id 528's (interactive logins) for a specific username. This works fine for W2K3 machines, but since Windows 2008 doesn't use 528's, it doesn't work at all when monitoring those machines.

Any ideas?

thanks!

(in reply to LeoSanchez)
Post #: 3
RE: Windows 2008 Events - 2.Jan.2009 9:20:41 AM   
Kevin Hodak

 

Posts: 5
Score: 0
Joined: 27.Apr.2006
Status: offline 		Hi Drinian,

As you correctly pointed out, the event ID's for Windows 2008 are different than Windows 2003.  Therefore, you will need to modify your custom event processing rule to include the Windows 2008 event ID; in this case, 4624.

Take a look at the default "Successful Administrative logons" under Security -> Monitoring and Attack Detection for a built-in rule that is similar to what you are looking to accomplish with a custom rule.

Regards,
Kevin Hodak
Sales Engineer - GFI Software - www.gfi.com

(in reply to Drinian)
Post #: 4
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> Windows 2008 Events Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts