Security Basics mailing list archives
RE: MS Audit logs
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Thu, 25 May 2006 08:19:00 -0500
For gathering the logs I always recommend Snare. The client installs and if you choose so it sets up to capture just about all possible events. You then choose a location for it to save. This way you can save logs until you run out of space and decide to delete or back them up. I believe the Snare server even has some alerting function when it comes to suspicious log entries based on the event ID. Here we use Snare clients with a Kiwi server, the Snare server did not perform very well with higher amount of traffic. Hope it helps. Nick -----Original Message----- From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] Sent: Sunday, May 21, 2006 8:27 AM To: security-basics () securityfocus com Subject: MS Audit logs Hi everyone, I'm a bit of a newbie administrator, and I have a quick question about Microsoft windows audit logs. Right now I have ticked every audit option in the main GPO, so I get tons of audit objects to trawl through every week. I was reading somewhere that MS Audit logs cycle or something so after 24 hours I have lost some audit objects. Also, I don't really know what I'm looking for in the audits logs anyway... except for maybe checking if some users accounts have been used when they shouldn't have. Anyways, I was wondering what software would be good for managing the audit logs?... I think I read a blog from an MS employee saying someone should use 3rd party software for managing the audit logs instead of the built-in windows thing. Thanks for your help, Davie.
Current thread:
- MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
- RE: MS Audit logs Daniel Cid (May 29)