intrusion detection

Shayne D. Swann · Jun 14, 2005

Does anyone know of a tool that I can use to monitor the Security logs for
event ID 681's? I currently use event combmt to periododiclly monitor the
event logs for event ID 681,s. But this is some what ineffective for
proactivily monitoring for brut force attacks. We do not use MOM here (we
are too cheap). Is there a tool that I can use to report if X number of 681
per minute are flagged on a domain controller it will generate an email to
the domain admins?

Simon Geary · Jun 14, 2005

Log Parser can query the DCs for specified event IDs but I'm not sure about
the email sending part though, worth a look anyway. If it doesn't have a
built in email capability you could maybe script it using blat.

http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

DCOM Autho Error 529 and 681 with Default Authentication Level = N	1	Mar 16, 2005
Event 529 and 681	5	Mar 12, 2005
Implementaion of securedc.inf / Event ID 529 & 681	2	Apr 22, 2004
Security Event ID 529 & 681 / source= outside domains	1	Apr 22, 2004
Users in Win98 workstations having account locked in Active Direct	5	Dec 30, 2004
Local User cannot logon onto domain server	1	May 3, 2004
Failure Audits in Event log question	1	Dec 19, 2003
Event ID 681	3	Mar 9, 2005

intrusion detection

Shayne D. Swann

Simon Geary

Ask a Question

Similar Threads