Security Basics mailing list archives

RE: MS Audit logs

From: "dave kleiman" <dave () davekleiman com>
Date: Tue, 23 May 2006 15:24:24 -0400

First you will want the logs to auto archive:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application]
"MaxSize"=dword:06400000
"Retention"=dword:00278d00
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security]
"MaxSize"=dword:06400000
"Retention"=dword:ffffffff
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001
"WarningLevel"=dword:0000005a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System]
"MaxSize"=dword:06400000
"Retention"=dword:00278d00
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001


Then take a look at this for some methods of auditing your audits.


http://www.davekleiman.com/Files/HTCIACyberCrimeSummit_For_CD.zip


Dave




Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

http://www.davekleiman.com/about.php
 

   -----Original Message-----
   From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] 
   Sent: Sunday, May 21, 2006 09:27 AM
   To: security-basics () securityfocus com
   Subject: MS Audit logs
   
   Hi everyone,
   
   I'm a bit of a newbie administrator, and I have a quick 
   question about Microsoft windows audit logs.
   
   Right now I have ticked every audit option in the main GPO, 
   so I get tons of audit objects to trawl through every week.
   I was reading somewhere that MS Audit logs cycle or 
   something so after 24 hours I have lost some audit objects.
   Also, I don't really know what I'm looking for in the audits 
   logs anyway...
   except for maybe checking if some users accounts have been 
   used when they shouldn't have.
   
   Anyways, I was wondering what software would be good for 
   managing the audit logs?... I think I read a blog from an MS 
   employee saying someone should use 3rd party software for 
   managing the audit logs instead of the built-in windows thing.
   
   Thanks for your help,
   
   Davie.

Current thread:

MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
  - RE: MS Audit logs Daniel Cid (May 29)