There are numerous other events, many with low criticality, that deserve monitoring and alerting if they occur in an anomalous way (these are listed in my downloadable Excel file). Failed log-ons provide a great example. Every large environment experiences dozens to hundreds of failed, nonmalicious log-ons every day. People simply can't type their passwords or PINs correctly every time. But an alert should be generated if the number of failed log-ons suddenly exceeds the normal amount expected in a given time period or occurs across more than the normal cross-section of computers. The event could just be the outcome of an errant script that is attempting to use an old password, but it could also be an attacker guessing the password.
No event log monitoring plan should be complete without a few well-placed honeypots. In those cases, any attempted log-ons to the fake systems should generate alerts.
There are far more to security event log monitoring systems than can be covered in a short article, but if you've ever wanted someone to give you specific list of events that you should be monitoring and alerting on, you have it now.
This story, "What to monitor to stop hacker and malware attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.