Security Basics mailing list archives

RE: Windows Log

From: "Meredith, Charles (HRD)" <Charles.Meredith () state ma us>
Date: Tue, 24 Jan 2006 11:38:27 -0500

Kind of related...
While researching a similar problem, I found a tool that will help manage the archival of logs (you might want to do 
this). We wanted to keep an archive of audit logs (logon and logoff events) so I found a freeware utility from 
SysInternals called psloglist that will automatically clear and save your audit/security logs. 
http://www.sysinternals.com/Utilities/PsLogList.html
Regards,
Chuck

-----Original Message-----
From: security-basics-return-37793-Chuck.Meredith=hrd.state.ma.us () securityfocus com 
[mailto:security-basics-return-37793-Chuck.Meredith=hrd.state.ma.us () securityfocus com] On Behalf Of List Spam
Sent: Tuesday, January 17, 2006 10:08 AM
To: security-basics () securityfocus com
Subject: Re: Windows Log

There are many types of logins that can be performed in an an AD environment.  Among these are full desktop logins by a 
user (aka interactive login), non-interactive network logins (e.g. mount a share), computer accounts authenticating to 
the domain, etc.

I would venture a guess that you don't want to disallow the ability to log other security events, but want to easily 
find login events of some type (see above) without having to wade through the full set of logged data.  If this is the 
case, you could simply filter the logs to show the event id that is specific to the action you are looking to see.

You could use the built-in "Event Viewer" application for it, EventCombMT (Google it), one of the resource kit log 
dumping utilitities, VBScripts, or just about anything else to export this info.  Some VBScript examples are below:

http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/default.mspx

I dare say that if you're trying to audit security on a box, you don't want to hack up the data collection facility, 
but want to simply get better use from that data.

My two cetns.

On 1/16/06, Rod <rod.rio () gmail com> wrote:

Hi all,

I have a Win2k Server, who is my Domain Controller, and I'd like it to 
log only the LOGON/LOGOFF events. I know that there are a whole class 
of logon/logoff events, but I´d like to log only when a user logon 
into a machine in the domain.

Hope I was clear... thx


--
Rodrigo M. T. Fernandez
Departamento de Ciência da Computação UFRJ Grupo de Respostas a 
Incidentes de Segurança - GRIS UFRJ www.dcc.ufrj.br | 
www.gris.dcc.ufrj.br

----------------------------------------------------------------------
----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The 
Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity 
Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: Windows Log, (continued)
- RE: Windows Log Ramsdell, Scott (Jan 20)
  - RE: Windows Log dave kleiman (Jan 23)
- RE: Windows Log Nick Duda (Jan 20)
- Re: Windows Log List Spam (Jan 22)
- Re: Windows Log Ryan Cummings (Jan 22)
  - Re: Windows Log Philippe De Ryck (Jan 23)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log dave kleiman (Jan 22)
- RE: Windows Log Joe Quigley (Jan 22)
- RE: Windows Log Ramsdell, Scott (Jan 24)
- RE: Windows Log Meredith, Charles (HRD) (Jan 24)
  - RE: Windows Log dave kleiman (Jan 26)
- RE: Windows Log Meredith, Charles (HRD) (Jan 26)