Monitor DHCP Logs. EventTracker. EventTracker. 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com. Publication Date: July 16, 2009

Similar documents
Monitoring Windows Workstations Seven Important Events

Monitoring Microsoft SQL Server Audit Logs with EventTracker The Importance of Consolidation, Correlation, and Detection Enterprise Security Series

The Top Ten Insider Threats and How to Prevent Them

Monitor Oracle Event Logs using EventTracker

Fifty Critical Alerts for Monitoring Windows Servers Best Practices

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Monitor Mobile Devices via ActiveSync Using EventTracker

Integrating Juniper Netscreen (ScreenOS)

Enable File and Folder Auditing

Integrate Microsoft Windows Hyper V

EventTracker: Support to Non English Systems

Integrate Cisco IronPort Web Security Appliance (WSA)

Integrate Websense Web Security Gateway (WSG)

EventTracker Architecture Handling Millions of Events Each Day

Integrating Symantec Endpoint Protection

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

Security Beyond the Windows Event Log Monitoring Ten Critical Conditions

Integrate Cisco IronPort Security Appliance (ESA)

How To- Create Local Account and Active Directory Authentication EventTracker Enterprise

Integrate Check Point Firewall

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

Integrate Astaro Security Gateway

Secure IIS Web Server with SSL

Integrating Barracuda Web Application Firewall

IIS Web Server Configuration Guide

Fifty Critical Alerts for Monitoring Windows Servers Best practices

EventTracker Enterprise v7.3 Installation Guide

Enable Audit Events in MS SQL Server EventTracker v6.x, v7.x

IIS Web Server Configuration Guide

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

NETWRIX EVENT LOG MANAGER

AD RMS Step-by-Step Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Detecting a Hacking Attempt

Migrating Active Directory to Windows Server 2012 R2

NETWRIX EVENT LOG MANAGER

How to Install MS SQL Server Express

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

How to - Install EventTracker and Change Audit Agent

Understand Troubleshooting Methodology

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Hyper-V Server 2008 Setup and Configuration Tool Guide

Network Printing In Windows 95/98/ME

EventTracker Enterprise v7.5

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Active Directory Change Notifier Quick Start Guide

Windows Domain Network Configuration Guide

Technical Brief for Windows Home Server Remote Access

LPR for Windows 95 TCP/IP Printing User s Guide

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Lepide Event Log Manager. Users Help Manual. Lepide Event Log Manager. Lepide Software Private Limited. Page 1

QRadar SIEM 6.3 Datasheet

Microsoft Business Solutions Navision 4.0 Development I C/SIDE Introduction Virtual PC Setup Guide. Course Number: 8359B

Monitoring Exchange Server Using EventTracker

Dell InTrust Auditing and Monitoring Microsoft Windows

Netwrix Auditor. Administrator's Guide. Version: /30/2015

Citrix XenServer Workload Balancing Quick Start. Published February Edition

Netwrix Auditor for Windows Server

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Dell Active Administrator 8.0

Configuring Security Features of Session Recording

User Guidance. CimTrak Integrity & Compliance Suite

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

LPR for Windows 95/98/Me/2000/XP TCP/IP Printing User s Guide. Rev. 03 (November, 2001)

Symantec Integrated Enforcer for Microsoft DHCP Servers Getting Started Guide

Deploying Microsoft RemoteFX for Personal Virtual Desktops Step-by-Step Guide

SmoothWall Virtual Appliance

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

StarWind iscsi SAN & NAS: Configuring HA Storage for Hyper-V October 2012

Secure Agent Quick Start for Windows

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

Deploying Windows Streaming Media Servers NLB Cluster and metasan

How to Test Out Backup & Replication 6.5 for Hyper-V

Enabling Backups for Windows and MAC OS X

DP-313 Wireless Print Server

Windows Server Update Services 3.0 SP2 Step By Step Guide

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Hardening Guide for EventTracker Server

LT Auditor+ for Windows

Lab Answer Key for Module 1: Installing and Configuring Windows Server Table of Contents Lab 1: Configuring Windows Server

DriveLock Quick Start Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Windows BitLocker Drive Encryption Step-by-Step Guide

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

Microsoft FTP Configuration Guide for Helm 4

NETASQ SSO Agent Installation and deployment

Transcription:

Monitor DHCP Logs EventTracker Publication Date: July 16, 2009 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

Abstract This document highlights the major advantages of employing EventTracker to consolidate and manage Dynamic Host Configuration Protocol (DHCP) Server logs. The paper introduces at a high level the major design concepts that enable EventTracker to process, store and allow users to gain actionable intelligence from the millions of critical events generated by DHCP. DHCP event data contains a wealth of valuable information for Network Administrators and Security groups for controls, compliance and security. For example, an easy way to detect new network devices accessing the network is through analysis of the DHCP logs. To monitor DHCP logs using EventTracker, an EventTracker agent must be installed on the DHCP server. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2013 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents DHCP Logs... 3 Example DHCP Audit log... 6 Example: Using EventTracker to monitor and alert on DHCP Audit Log entries... 7 Monitoring... 13 Alerting... 13 Reporting... 13 About EventTracker... 16 About Prism Microsystems... 18 2

DHCP Logs DHCP on Windows 2003 and Windows 2008 includes the ability to generate an audit log for the DHCP service. These logs include detailed descriptions of DHCP activity, including leases and renewals, starting and stopping of the DHCP service, and server error messages. The Event Log data also indicates the date and time of the event, as well as the full identity of the client involved (IP address, name and hardware address). DHCP logging is enabled by default. You can enable and disable logging by following the steps listed below: 1. Click the Start button, click Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click DHCP. 3. In the console tree, click the applicable DHCP server. 4. On the Action menu, click Properties. 5. On the General tab, select Enable DHCP audit logging, and then click OK. By default, DHCP logs are stored in the %systemroot%\system32\dhcp folder. The logs can be opened using Notepad. The storage location can also be changed by right-clicking a server in the DHCP console and choosing Properties. In the properties dialog box that opens, switch to the advanced tab and indicate the new audit log file path. The DHCP Server bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP Server starts, if the current date and time is Monday, April 7, 2003, 04:56:42 P.M. the server audit log file is named: DhcpSrvLog-Mon.Log In Microsoft Windows NT and Microsoft Windows 2000, this same audit log file would be named as the following: DhcpSrvLog.Mon 3

The Following event IDs are used for DHCP Log monitoring for Windows Server 2003. ID Number DHCP Event 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has begun. 25 IP address cleanup statistics. 50+ Codes above 50 are used for Rogue Server Detection information. Table 1 If the DHCP server is configured to perform Domain Name System (DNS) dynamic updates on behalf of DHCP clients, the DHCP audit logs can be used to monitor update requests by the DHCP server for the DNS server. The audit logs can also be used to record DNS record update successes, as well as DNS record failures. The following event IDs are used for DNS dynamic update events: ID Number DHCP Event 30 DNS dynamic update request 31 DNS dynamic update failed 32 DNS dynamic update successful Table 2 4

The following are additional server log event ID codes and descriptions. These events can appear in logs made by DHCP servers running Windows Server 2008. They pertain to the applicable DHCP server and its authorization status when deployed in Active Directory environments. ID Number DHCP Event 50 Unreachable domain The DHCP server could not locate the applicable domain for its configured Active Directory installation. 51 Authorization succeeded. The DHCP server was authorized to start on the network 52 Upgraded to a Windows Server 2008 operating system The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. 53 Cached Authorization The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network. 54 Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped. 55 Authorization (servicing) The DHCP server was successfully authorized to start on the network. 56 Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again. 57 Server found in domain Another DHCP server exists and is authorized for service in the same domain. 58 Server could not find domain The DHCP server could not locate the specified domain. 59 Network failure A network-related failure prevented the server from determining if it is authorized. 60 No DC is DS Enabled No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required. 61 Server found that belongs to DS domain Another DHCP server was found on the network that belongs to the Active Directory domain. 62 Another server found Another DHCP server was found on the network. 63 Restarting rogue detection The DHCP server is trying once more to determine whether it is authorized to 5

start and provide service on the network. 64 No DHCP enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following: The network connections of the server are either not installed or not actively connected to a network. The server has not been configured with at least one static IP address for one of its installed and active network connections. All of the statically configured network connections for the server are disabled. Table 3 Example DHCP Audit log ID,Date,Time,Description,IP Address,Host Name,MAC Address 24,05/18/09,00:00:16,Database Cleanup Begin,,,, 25,05/18/09,00:00:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,00:00:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,00:40:16,Database Cleanup Begin,,,, 25,05/18/09,00:40:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,00:40:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,01:40:16,Database Cleanup Begin,,,, 25,05/18/09,01:40:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,01:40:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,02:40:17,Database Cleanup Begin,,,, 25,05/18/09,02:40:17,0 leases expired and 0 leases deleted,,,, 25,05/18/09,02:40:17,0 leases expired and 0 leases deleted,,,, 30,05/18/09,03:06:46,DNS Update Request,177.1.168.192,vssserver.prismusa.com,, 11,05/18/09,03:06:46,Renew,192.168.1.177,vssserver.prismusa.com,0008A1117C07, 32,05/18/09,03:06:46,DNS Update Successful,192.168.1.177,vssserver.prismusa.com,, 6

30,05/18/09,03:07:17,DNS Update Request,162.1.168.192,linen.prismusa.com,, 11,05/18/09,03:07:17,Renew,192.168.1.162,linen.prismusa.com,001111A0D578, 32,05/18/09,03:07:17,DNS Update Successful,192.168.1.162,linen.prismusa.com,, 30,05/18/09,03:15:34,DNS Update Request,172.1.168.192,erm10.PRISMTEST.com,, 11,05/18/09,03:15:34,Renew,192.168.1.172,erm10.PRISMTEST.com,000BDB113980, 32,05/18/09,03:15:34,DNS Update Successful,192.168.1.172,erm10.PRISMTEST.com,, Example: Using EventTracker to monitor and alert on DHCP Audit Log entries EventTracker uses Log File Monitor (LFM) in the Windows agent to access DHCP Server logs. To set up EventTracker Log File Monitoring perform the following steps: 1. Select the Start button, select All Programs, and then select Prism Microsystems. 2. Select EventTracker, and then select EventTracker Control Panel. Figure 1 3. Open up the Agent Configuration option and select the DHCP Server system from Select Systems combo box. 7

Figure 2 4. Click on Logfile Monitor tab and check Logfile Monitor check box. 8

Figure 3 5. Click on Add File Name, check the box Get All Existing Log Files and select CSV from Select Log File Type combo box. 9

Figure 4 6. Browse and select C:\windows\system32\dhcp path and click OK. Enter \DhcpSrvLog- *.log in Enter the log file(s) to be processed dialog box. Figure 5 7. Select 30 as Enter Header Line Number of the above file. The final file details screen looks as below: 10

Figure 6 8. The next screen will appear which will ask for the search string. Figure 7 9. Click on the Add String button and enter * in the Enter Search String text box. 11

Figure 8 10. Click the OK button. The Search String screen will look like: Figure 9 11. Click the OK button, then save the agent configuration. 12

Monitoring After completing the steps listed above, EventTracker will monitor all logs generated by DHCP. System Administrators can monitor specific groups of DHCP events like DHCP log started, stopped, paused, new IP address assigned, lease renewed, lease release, new IP address found in network, lease not satisfied, lease denied, lease deleted, lease expired, BOOTP assigned, BOOTP request not satisfied, BOOTP ip delete, dynamic BOOTP assigned, IP address cleaned up, cleaned up statistics, DNS update request, DNS update successful, DNS update failure. Alerting EventTracker can alert System Administrators on critical events such as DHCP BOOTP address assigned, BOOTP address deleted, BOOTP address not satisfied, DNS update failed, Dynamic BOOTP address leased, lease denied, lease expired, new IP address was leased, new IP address found in network, lease not satisfied, DHCP logging paused due to low disk space, DHCP logging stopped. These alerts can be received via email, SNMP traps, or delivered to any text enabled device. It is also possible to deliver the alert details via RSS. Reporting EventTracker provides an exclusive reporting tool designed to generate requirement specific reports. Below are the sample reports created by EventTracker specific to DHCP logs. Report 1: DHCP Lease Renewed by client DHCP- Lease renewed by client Detail Report : Log Time Client Host Name Client IP Client MAC Computer Address Address 7/13/2009 11:31 linux-3olh.prismusa.com 192.168.1.175 000F1F46F53A, NAVYBLUE 7/13/2009 11:31 steelblue2.prismusa.com 192.168.1.157 0015C552FA61, NAVYBLUE 7/13/2009 11:31 dell02. 192.168.1.180 00123FEAC13A, NAVYBLUE 7/13/2009 11:31 192.168.1.137 080020DABD91, NAVYBLUE 7/13/2009 11:31 crimson.prismusa.com 192.168.1.167 00C09F2B3D1F, NAVYBLUE 7/13/2009 11:31 vssserver.prismusa.com 192.168.1.177 0008A1117C07, NAVYBLUE 7/13/2009 11:31 erm10.prismtest.com 192.168.1.172 000BDB113980, NAVYBLUE 7/13/2009 11:31 192.168.1.129 000BDBB7D9D5, NAVYBLUE 7/13/2009 11:31 linen.prismusa.com 192.168.1.162 001111A0D578, NAVYBLUE 13

7/13/2009 11:31 navyblue.prismusa.com 192.168.1.144 000B7D0D81C1, NAVYBLUE 7/13/2009 11:31 crimson.prismusa.com 192.168.1.188 00904B48179D, NAVYBLUE 7/13/2009 11:31 LEMONYELLOW.prismusa.com 192.168.1.166 00197DB00FEA, NAVYBLUE 7/13/2009 11:31 LEMONYELLOW.prismusa.com 192.168.1.130 00188BBA1D15, NAVYBLUE 7/13/2009 11:31 Plum.prismusa.com 192.168.1.173 00111162D7C1, NAVYBLUE 7/13/2009 11:31 black.prismusa.com 192.168.1.150 0011437196BB, NAVYBLUE 7/13/2009 11:31 rallen.prismusa.com 192.168.1.149 00123FDFA873, NAVYBLUE DHCP- Lease renewed by clients Report 2: DHCP Lease Denied. Computer LogTime Client IP Address Client Host Name Client MAC Address NAVYBLUE 7/13/2009 11:15 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:17 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:18 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:19 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:22 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:23 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:25 192.168.2.2 000B7D0D81C1, NAVYBLUE 7/13/2009 11:26 11:27 192.168.2.2 000B7D0D81C1, i Report 3: DHCP DNS update request report DHCP - DNS Update Request Detail Report: Computer Log Time Client Host Name Client IP Address NAVYBLUE 7/13/2009 11:34 maroon.prismusa.com 194.1.168.192 NAVYBLUE 7/13/2009 11:34 salmon.prismusa.com 192.168.1.157 NAVYBLUE 7/13/2009 11:34 linen.prismusa.com 192.168.1.180 NAVYBLUE 7/13/2009 11:34 vssserver.prismusa.com 192.168.1.137 NAVYBLUE 7/13/2009 11:34 steelblue2.prismusa.com 192.168.1.167 NAVYBLUE 7/13/2009 11:34 dell02. 192.168.1.177 14

NAVYBLUE 7/13/2009 11:34 crimson.prismusa.com 192.168.1.172 NAVYBLUE 7/13/2009 11:34 INDIANRED.prismusa.com 192.168.1.129 NAVYBLUE 7/13/2009 11:34 Cobaltblue.prismusa.com 192.168.1.162 NAVYBLUE 7/13/2009 11:34 salmon.prismusa.com 192.168.1.144 Report 4: DHCP DNS updated successful. DHCP - DNS update successful Detail Report: Computer Log Time Client Host Name Client IP Address NAVYBLUE 7/13/2009 11:32 Aqua.prismusa.com 192.168.1.134 NAVYBLUE 7/13/2009 11:32 navyblue.prismusa.com 192.168.1.144 NAVYBLUE 7/13/2009 11:32 rallen.prismusa.com 192.168.1.149 NAVYBLUE 7/13/2009 11:32 swisscoffee.prismusa.com 192.168.1.195 NAVYBLUE 7/13/2009 11:32 black.prismusa.com 192.168.1.150 NAVYBLUE 7/13/2009 11:32 Plum.prismusa.com 192.168.1.173 NAVYBLUE 7/13/2009 11:32 LEMONYELLOW.prismusa.com 192.168.1.130 NAVYBLUE 7/13/2009 11:32 LEMONYELLOW.prismusa.com 192.168.1.166 NAVYBLUE 7/13/2009 11:32 salmon.prismusa.com 192.168.1.190 NAVYBLUE 7/13/2009 11:32 maroon.prismusa.com 192.168.1.194 NAVYBLUE 7/13/2009 11:32 Cobaltblue.prismusa.com 192.168.1.159 NAVYBLUE 7/13/2009 11:32 Khakki.prismusa.com 192.168.1.165 NAVYBLUE 7/13/2009 11:32 erm6.prismusa.com 192.168.1.164 NAVYBLUE 7/13/2009 11:32 snow.prismusa.com 192.168.1.147 NAVYBLUE 7/13/2009 11:32 salmon.prismusa.com 192.168.1.190 NAVYBLUE 7/13/2009 11:32 INDIANRED.prismusa.com 192.168.1.152 15

About EventTracker EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides realtime alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach. The original log data is securely stored in a highly compressed event repository for compliance purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and more), EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection, Change Monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured 16

(Sealed with SHA-1 checksum) archive that is limited only by the amount of available disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Alerting interface that generates custom alert actions via email, pager, console message, etc. Event correlation modules to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. 17

About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-todeploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.eventtracker.com/. 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information