Security Basics mailing list archives
RE: MS Audit logs
From: Daniel Cid <danielcid () yahoo com br>
Date: Thu, 25 May 2006 14:04:02 -0300 (ART)
Hi Davie, Because you enabled every audit option, you will get a lot of useless and some useful information. You can extract this events using snare to a log server, but you will still have to analyze all the data in there. If you have multiple servers it is going to be hard to do it manually (and snare has no correlation on it).. I would recommend you to try *OSSEC. It has a windows agent that will extract your windows logs and forward them (encrypted) to an analysis server. In your log analysis server, you need install the ossec server to receive this events from windows (or from linux). On the log server, OSSEC will correlate your windows logs, generate alerts, generate responses, etc. More info: http://www.ossec.net Windows agents info: http://www.ossec.net/en/manual.html#windows *ossec is open source and I'm part of its development. hope it helps, -- Daniel B. Cid dcid @ ( at ) ossec.net
-----Original Message----- From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] Sent: Sunday, May 21, 2006 8:27 AM To: security-basics () securityfocus com Subject: MS Audit logs Hi everyone, I'm a bit of a newbie administrator, and I have a quick question about Microsoft windows audit logs. Right now I have ticked every audit option in the main GPO, so I get tons of audit objects to trawl through every week. I was reading somewhere that MS Audit logs cycle or something so after 24 hours I have lost some audit objects. Also, I don't really know what I'm looking for in the audits logs anyway... except for maybe checking if some users accounts have been used when they shouldn't have. Anyways, I was wondering what software would be good for managing the audit logs?... I think I read a blog from an MS employee saying someone should use 3rd party software for managing the audit logs instead of the built-in windows thing. Thanks for your help, Davie.
_______________________________________________________ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/
Current thread:
- MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
- RE: MS Audit logs Daniel Cid (May 29)