SecurityFocus

[logs] Syslog and facilities Jun 06 2007 10:55AM
saudi sans (saudisans gmail com) (4 replies)

Re: [logs] Facility 101 (was: Syslog and facilities) Jun 18 2007 01:04PM
Chris Brenton (cbrenton chrisbrenton org) (1 replies)

[logs] Syslog and Windows Jun 22 2007 04:35AM
Bill Scherr IV (bschnzl cotse net) (5 replies)

RE: [logs] Syslog and Windows Jun 25 2007 06:54PM
Eric Fitzgerald (Eric Fitzgerald microsoft com) (2 replies)

RE: [logs] Syslog and Windows Jun 25 2007 08:02PM
Rainer Gerhards (rgerhards hq adiscon com) (1 replies)

RE: [logs] Syslog and Windows Jun 25 2007 08:43PM
Eric Fitzgerald (Eric Fitzgerald microsoft com) (1 replies)

RE: [logs] Syslog and Windows Jun 25 2007 09:10PM
Rainer Gerhards (rgerhards hq adiscon com) (1 replies)

RE: [logs] Syslog and Windows Jun 25 2007 09:55PM
Eric Fitzgerald (Eric Fitzgerald microsoft com)

Re: [logs] Syslog and Windows Jun 25 2007 07:59PM
Vincent Bernat (bernat luffy cx) (1 replies)

RE: [logs] Syslog and Windows Jun 26 2007 07:05PM
Eric Fitzgerald (Eric Fitzgerald microsoft com) (1 replies)

RE: [logs] Syslog and Windows Jun 26 2007 08:00PM
Rainer Gerhards (rgerhards hq adiscon com)

Eric,

I am of course in no position to request anything, but... In my personal view, it would be benefitial if Active Directory would have an operator-configurable rententon period for GUIDs (just like SID history).

Besides, one can create his own respository of object Ids - all that need to be done is periodically query AD and exctract GUIDS (thankfully, they are GUIDs ;)).

Just my 2cts, probably worth less ;)

Rainer

> -----Original Message-----
> From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
> [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of
> Eric Fitzgerald
> Sent: Tuesday, June 26, 2007 9:06 PM
> To: Vincent Bernat; loganalysis
> Subject: RE: [logs] Syslog and Windows
>
> The viewer will no longer be able to look up an account which
> has been deleted.
>
> Note that a similar problem occurs if you just embed the
> name; if the account is renamed you lose track of the
> account's activities with standard queries.
>
> This was addressed in Windows Vista which now embeds the SID
> and the textual account name.
>
> Eric
>
>
> -----Original Message-----
> From: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
> [mailto:loganalysis-bounces (at) loganalysis (dot) org [email concealed]] On Behalf Of
> Vincent Bernat
> Sent: Monday, June 25, 2007 12:59 PM
> To: loganalysis
> Subject: Re: [logs] Syslog and Windows
>
> OoO Pendant le journal télévisé du lundi 25 juin 2007, vers
> 20:54, Eric
> Fitzgerald <Eric.Fitzgerald (at) microsoft (dot) com [email concealed]> disait:
>
> > In Windows events, it's common to embed invariants rather
> than strings-
> > for instance instead of storing "Account Enabled" we store "%%2048";
> > which Event Viewer looks up as "Account Enabled" in the
> locale of the
> > viewer. Likewise we store security IDs and AD object GUIDs
> rather than
> > the actual names of the objects; the names have to be
> looked up before
> > presenting to the user; in SEM this is typically done at
> the agent prior
> > to transmission to the SEM server.
>
> What happens if a user get deleted from AD ?
> --
> BEWITCHED, DOES NOT PROMOTE SATANISM
> BEWITCHED, DOES NOT PROMOTE SATANISM
> BEWITCHED, DOES NOT PROMOTE SATANISM
> -+- Bart Simpson on chalkboard in episode 2F17
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]

Re: [logs] Syslog and Windows Jun 22 2007 05:42AM
David Corlette (dcorlette novell com)

[logs] Re: Syslog and Windows Jun 22 2007 05:11AM
Chris Brenton (cbrenton chrisbrenton org) (1 replies)

[logs] Re: Syslog and Windows Jun 22 2007 10:23AM
Bill Scherr IV (bschnzl cotse net) (1 replies)

RE: [logs] Re: Syslog and Windows Jun 22 2007 06:27PM
Tina Bird (tbird precision-guesswork com) (3 replies)

RE: [logs] Re: Syslog and Windows Jun 23 2007 03:46PM
Chris Brenton (cbrenton chrisbrenton org)

RE: [logs] Re: Syslog and Windows Jun 22 2007 08:41PM
Rainer Gerhards (rgerhards hq adiscon com)

Re: [logs] Re: Syslog and Windows Jun 22 2007 07:15PM
Gord Taylor (taylorgo gmail com) (1 replies)

RE: [logs] Re: Syslog and Windows Jun 22 2007 08:24PM
Rainer Gerhards (rgerhards hq adiscon com) (1 replies)

Re: [logs] Re: Syslog and Windows Jun 25 2007 02:24PM
Gord Taylor (taylorgo gmail com)

Re: [logs] Syslog and Windows Jun 22 2007 05:04AM
John Kinsella (jlk thrashyour com) (2 replies)

RE: [logs] Syslog and Windows Jun 22 2007 10:09AM
Rainer Gerhards (rgerhards hq adiscon com)

Re: [logs] Syslog and Windows Jun 22 2007 08:43AM
Russell Fulton (r fulton auckland ac nz) (1 replies)

Re: [logs] Syslog and Windows Jun 22 2007 03:12PM
John Kinsella (jlk thrashyour com)

Re: [logs] Syslog and Windows Jun 22 2007 04:49AM
Matt Jonkman (jonkman bleedingthreats net)

RE: [logs] Syslog and facilities Jun 06 2007 07:45PM
Rainer Gerhards (rgerhards hq adiscon com)

Re: [logs] Syslog and facilities Jun 06 2007 05:01PM
Marcus J. Ranum (mjr ranum com) (1 replies)

RE: [logs] Syslog and facilities Jun 06 2007 07:40PM
Rainer Gerhards (rgerhards hq adiscon com)

Re: [logs] Syslog and facilities Jun 06 2007 04:40PM
David Corlette (dcorlette novell com)