This morning I got up early and found myself looking for things to do in order to avoid the things I was supposed to be doing. In the process, I found myself rooting around in the Windows 2000 Server Resource Kit Help file, looking for Cool Tools worth trying out. It didn't take long before I hit upon a real gem.
The CyberSafe Log Analyst
The Windows 2000 Server Resource Kit includes a tool called CyberSafe Log Analyst. This tool is an MMC Snap-in that helps you make sense out of your security log. Part of our daily routine is to check the security logs on all the servers. This can sometimes be a harrowing experience, because the chronological method of displaying information in the Event Log isn't the easiest way to turn data into information.
The CyberSafe Log Analyst can bring some order to your Security Log. It will take the contents of the Security Log and automatically create a series of reports that brings the data into sharper focus.
CyberSafe Log Analyst Reports
The reports that the CyberSafe Log Analyst provides are:
Activity by Target
The Report shows activity across the enterprise grouped by target
Activity by User
This Report shows activity across the enterprise grouped by User
Enterprise Activity Summary
This reports shows a summary of all activities across the enterprise
Enterprise Failed Login Activity
This report shows failed logins across the enterprise grouped by target
Enterprise Object Browsing by Target
This report shows enterprise object browsing by Target
Enterprise Object Browsing by User
This report shows enterprise object browsing by User
Enterprise Object Browsing by User & Target
This report shows enterprise object browsing by User & Target
Enterprise Virus Activity
This report shows points of potential virus activity grouped by target
Login Summary Report
This report Shows login activity across the enterprise
This report shows per hours activity across the enterprise listed by Target
This reports shows per hour activity across the enterprise listed by User
Activity Signatures Search Out Suspicious Activity
The programs scans the Security Log looking for matches in its activity signatures database. These activity signatures are events or series of events which are considered to be suspicious and possibly indicative of computer misuse or abuse. The help file in the program includes a detailed list and explanation of the activity signatures that the Log Analyst looks for.
The reports look like typical out of the box Microsoft Access Reports, and believe it's the same report generating engine. Take a look at one of these reports below:
If you're stressing out over your daily security log overviews, I'm sure you'll agree that the CyberSafe Log Analyst will come in very handy!
Where the Heck is it?
The CyberSafe Security Analyst is not installed when you install the Windows 2000 Server Resource Kit tools. To install the program, search the Resource Kit CD for the \apps\loganalyst directory and run the setup program from there.
For More Information
For more information about the CyberSafe Log Analyst, read the Help File for the program after you have it installed.