Security Basics mailing list archives

RE: MS Audit logs

From: Daniel Cid <danielcid () yahoo com br>
Date: Thu, 25 May 2006 14:04:02 -0300 (ART)

Hi Davie,

Because you enabled every audit option, you will 
get a lot of useless and some useful information. You
can extract this events using snare to a log server,
but you will still have to analyze all the data in
there. If you have multiple servers it is going to be
hard to do it manually (and snare has no correlation
on it)..

I would recommend you to try *OSSEC. It has a windows
agent that will extract your windows logs and forward
them (encrypted) to an analysis server. In your
log analysis server, you need install the ossec server
to receive this events from windows (or from linux).
On the log server, OSSEC will correlate your windows
logs, generate alerts, generate responses, etc.

More info:
http://www.ossec.net

Windows agents info:
http://www.ossec.net/en/manual.html#windows

*ossec is open source and I'm part of its development.

hope it helps,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

-----Original Message-----
From: Davie Elliott - Eluse
[mailto:delliott () eluse co uk] 
Sent: Sunday, May 21, 2006 8:27 AM
To: security-basics () securityfocus com
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a
quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the
main GPO, so I get
tons of
audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or
something so after
24
hours I have lost some audit objects.
Also, I don't really know what I'm looking for in
the audits logs
anyway...
except for maybe checking if some users accounts
have been used when
they
shouldn't have.

Anyways, I was wondering what software would be good
for managing the
audit
logs?... I think I read a blog from an MS employee
saying someone should
use
3rd party software for managing the audit logs
instead of the built-in
windows thing.

Thanks for your help,

Davie.



                
_______________________________________________________ 
Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. 
http://br.info.mail.yahoo.com/

Current thread:

MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
  - RE: MS Audit logs Daniel Cid (May 29)