The Raxco toolkit is the commercial equivalent of COPS. While it doesn't report a current intrusion, its accounts report includes a list of failed log-in attempts. If you pull the report into a database, delete all the informational text and leave just the failed login's, then index it on remote system and login date/time and look at the data, any attempts to break in are fairly apparent, especially during off hours. Of course, once your intruder has successfully cracked passwords and gets in without any failed log-in's, a different reports becomes important. Other reports tell you exactly what was changed and when it was changed although they don't tell you who made the change. Hog Farmer