RE: MS Audit logs

First you will want the logs to auto archive:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application]
"MaxSize"=dword:06400000
"Retention"=dword:00278d00
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security]
"MaxSize"=dword:06400000
"Retention"=dword:ffffffff
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001
"WarningLevel"=dword:0000005a

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System]
"MaxSize"=dword:06400000
"Retention"=dword:00278d00
"RestrictGuestAccess"="1"
"AutoBackupLogFiles"=dword:00000001


Then take a look at this for some methods of auditing your audits.


http://www.davekleiman.com/Files/HTCIACyberCrimeSummit_For_CD.zip


Dave




Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

http://www.davekleiman.com/about.php


-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott@xxxxxxxxxxx]
Sent: Sunday, May 21, 2006 09:27 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a quick
question about Microsoft windows audit logs.

Right now I have ticked every audit option in the main GPO,
so I get tons of audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or
something so after 24 hours I have lost some audit objects.
Also, I don't really know what I'm looking for in the audits
logs anyway...
except for maybe checking if some users accounts have been
used when they shouldn't have.

Anyways, I was wondering what software would be good for
managing the audit logs?... I think I read a blog from an MS
employee saying someone should use 3rd party software for
managing the audit logs instead of the built-in windows thing.

Thanks for your help,

Davie.



Relevant Pages

  • Re: Too much auditing?
    ... Just like any security setting, it is typically unproductive to just pick ... You need to examine the capabilities of audit, ... If you log everything, set your logs to a much larger size, such as 64MB ... Failure auditing is not useful for most people, ...
    (microsoft.public.win2000.security)
  • RE: MS Audit logs
    ... Because you enabled every audit option, ... agent that will extract your windows logs and forward ... them to an analysis server. ... logs, generate alerts, generate responses, etc. ...
    (Security-Basics)
  • RE: SAS70
    ... Security, HP Master ASE, CCNA, Security+ ... The SAS70 audit is all about the controls that you have in place and the ... Show me the logs of you doing this. ...
    (Security-Basics)
  • RE: [Full-disclosure] PCI Audit Logging
    ... rationale is to be able to detect attempted alterations of logs. ... then the audit log has questionable value as ... All key management activities should be logged and adequate information ... characteristics of audit trails are: ...
    (Full-Disclosure)
  • Re: IUSR trying to run cmd.exe... who is it?
    ... What I did found is that the process the audit referes to is not an actual ... This narrows the search to CGI apps like: ... Still, you are right, I should check the logs... ... > you is through HTTP requests / your IIS logs. ...
    (microsoft.public.inetserver.iis.security)