Security Basics mailing list archives
RE: MS Audit logs
From: "dave kleiman" <dave () davekleiman com>
Date: Tue, 23 May 2006 15:24:24 -0400
First you will want the logs to auto archive: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application] "MaxSize"=dword:06400000 "Retention"=dword:00278d00 "RestrictGuestAccess"="1" "AutoBackupLogFiles"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security] "MaxSize"=dword:06400000 "Retention"=dword:ffffffff "RestrictGuestAccess"="1" "AutoBackupLogFiles"=dword:00000001 "WarningLevel"=dword:0000005a [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System] "MaxSize"=dword:06400000 "Retention"=dword:00278d00 "RestrictGuestAccess"="1" "AutoBackupLogFiles"=dword:00000001 Then take a look at this for some methods of auditing your audits. http://www.davekleiman.com/Files/HTCIACyberCrimeSummit_For_CD.zip Dave Respectfully, ______________________________________________________ Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE http://www.davekleiman.com/about.php -----Original Message----- From: Davie Elliott - Eluse [mailto:delliott () eluse co uk] Sent: Sunday, May 21, 2006 09:27 AM To: security-basics () securityfocus com Subject: MS Audit logs Hi everyone, I'm a bit of a newbie administrator, and I have a quick question about Microsoft windows audit logs. Right now I have ticked every audit option in the main GPO, so I get tons of audit objects to trawl through every week. I was reading somewhere that MS Audit logs cycle or something so after 24 hours I have lost some audit objects. Also, I don't really know what I'm looking for in the audits logs anyway... except for maybe checking if some users accounts have been used when they shouldn't have. Anyways, I was wondering what software would be good for managing the audit logs?... I think I read a blog from an MS employee saying someone should use 3rd party software for managing the audit logs instead of the built-in windows thing. Thanks for your help, Davie.
Current thread:
- MS Audit logs Davie Elliott - Eluse (May 23)
- RE: MS Audit logs dave kleiman (May 23)
- <Possible follow-ups>
- RE: MS Audit logs Sarbjit Singh Gill (May 24)
- RE: MS Audit logs Hayes, Ian (May 24)
- RE: MS Audit logs Nick Vaernhoej (May 25)
- RE: MS Audit logs Daniel Cid (May 29)