RE: MS Audit logs

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

For gathering the logs I always recommend Snare. The client installs and
if you choose so it sets up to capture just about all possible events.
You then choose a location for it to save. This way you can save logs
until you run out of space and decide to delete or back them up. I
believe the Snare server even has some alerting function when it comes
to suspicious log entries based on the event ID.
Here we use Snare clients with a Kiwi server, the Snare server did not
perform very well with higher amount of traffic.

Hope it helps.
Nick

-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] 
Sent: Sunday, May 21, 2006 8:27 AM
To: security-basics () securityfocus com
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the main GPO, so I get
tons of
audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or something so after
24
hours I have lost some audit objects.
Also, I don't really know what I'm looking for in the audits logs
anyway...
except for maybe checking if some users accounts have been used when
they
shouldn't have.

Anyways, I was wondering what software would be good for managing the
audit
logs?... I think I read a blog from an MS employee saying someone should
use
3rd party software for managing the audit logs instead of the built-in
windows thing.

Thanks for your help,

Davie.