RE: MS Audit logs

["Hayes, Ian" <Ian.Hayes () wynnlasvegas com>]

> -----Original Message-----
> From: Davie Elliott - Eluse [mailto:delliott () eluse co uk]
> Sent: Sunday, May 21, 2006 6:27 AM
> To: security-basics () securityfocus com
> Subject: MS Audit logs
>
> Hi everyone,
>
> I'm a bit of a newbie administrator, and I have a quick question about
> Microsoft windows audit logs.
>
> Right now I have ticked every audit option in the main GPO, so I get
tons
> of audit objects to trawl through every week.
> I was reading somewhere that MS Audit logs cycle or something so after
24
> hours I have lost some audit objects.

Actually the logs will cycle depending on how you have the Security log
set up. They won't cycle after 24 hours if you make the logfile large
enough so that it can hold more than 24 hours of data. Additionally, you
can set up the log to overwrite the oldest entries as needed (sounds
like you're set up like this already), or to only overwrite entries
older than X days.

You can also configure it so that the server will halt if it can't write
to the Security log - look up CrashOnAuditFail on Google.

> Also, I don't really know what I'm looking for in the audits logs
> anyway... except for maybe checking if some users accounts have been
used > when they shouldn't have.
> Anyways, I was wondering what software would be good for managing the
> audit logs?... I think I read a blog from an MS employee saying
someone
> should use 3rd party software for managing the audit logs instead of
the
> built-in windows thing.

We use an app that grabs the event entries as they're written and sends
them via syslog to a Linux system and use Splunk to aggregate and
analyze them.

--
Ian Hayes | Senior Systems Engineer
Wynn Las Vegas
3131 South Las Vegas Blvd, Las Vegas, NV 89109
Ph (702) 770-3252 | Cell (702) 266-6002
Ian.hayes () wynnlasvegas com