Security Basics mailing list archives
RE: MS Audit logs
From: "Hayes, Ian" <Ian.Hayes () wynnlasvegas com>
Date: Wed, 24 May 2006 09:01:33 -0700
-----Original Message----- From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] Sent: Sunday, May 21, 2006 6:27 AM To: security-basics () securityfocus com Subject: MS Audit logs Hi everyone, I'm a bit of a newbie administrator, and I have a quick question about Microsoft windows audit logs. Right now I have ticked every audit option in the main GPO, so I get
tons
of audit objects to trawl through every week. I was reading somewhere that MS Audit logs cycle or something so after
24
hours I have lost some audit objects.
Actually the logs will cycle depending on how you have the Security log set up. They won't cycle after 24 hours if you make the logfile large enough so that it can hold more than 24 hours of data. Additionally, you can set up the log to overwrite the oldest entries as needed (sounds like you're set up like this already), or to only overwrite entries older than X days. You can also configure it so that the server will halt if it can't write to the Security log - look up CrashOnAuditFail on Google.
Also, I don't really know what I'm looking for in the audits logs anyway... except for maybe checking if some users accounts have been
used > when they shouldn't have.
Anyways, I was wondering what software would be good for managing the audit logs?... I think I read a blog from an MS employee saying
someone
should use 3rd party software for managing the audit logs instead of
the
built-in windows thing.
We use an app that grabs the event entries as they're written and sends them via syslog to a Linux system and use Splunk to aggregate and analyze them. -- Ian Hayes | Senior Systems Engineer Wynn Las Vegas 3131 South Las Vegas Blvd, Las Vegas, NV 89109 Ph (702) 770-3252 | Cell (702) 266-6002 Ian.hayes () wynnlasvegas com
Current thread:
- MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
- RE: MS Audit logs Daniel Cid (May 29)