RE: MS Audit logs

-----Original Message-----
From: Davie Elliott - Eluse [mailto:delliott@xxxxxxxxxxx]
Sent: Sunday, May 21, 2006 6:27 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the main GPO, so I get
tons
of audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or something so after
24
hours I have lost some audit objects.

Actually the logs will cycle depending on how you have the Security log
set up. They won't cycle after 24 hours if you make the logfile large
enough so that it can hold more than 24 hours of data. Additionally, you
can set up the log to overwrite the oldest entries as needed (sounds
like you're set up like this already), or to only overwrite entries
older than X days.

You can also configure it so that the server will halt if it can't write
to the Security log - look up CrashOnAuditFail on Google.

Also, I don't really know what I'm looking for in the audits logs
anyway... except for maybe checking if some users accounts have been
used > when they shouldn't have.

Anyways, I was wondering what software would be good for managing the
audit logs?... I think I read a blog from an MS employee saying
someone
should use 3rd party software for managing the audit logs instead of
the
built-in windows thing.

We use an app that grabs the event entries as they're written and sends
them via syslog to a Linux system and use Splunk to aggregate and
analyze them.

--
Ian Hayes | Senior Systems Engineer
Wynn Las Vegas
3131 South Las Vegas Blvd, Las Vegas, NV 89109
Ph (702) 770-3252 | Cell (702) 266-6002
Ian.hayes@xxxxxxxxxxxxxxxx

Relevant Pages

  • RE: MS Audit logs
    ... For gathering the logs I always recommend Snare. ... Microsoft windows audit logs. ...
    (Security-Basics)
  • Re: Dealing with BSM Audit Logs
    ... I am in search of tools to deal with audit logs. ... example, I suspect that this noise is from ufsdump/restore, ...
    (Focus-SUN)
  • Re: SQL 2000 Lockout?
    ... Yes we do have audit logs and monitor the Failed Attempts but just was ... With SQL Server 2000, there is nothing native to do this. ... If you server is set to Audit Failed Logins, ...
    (microsoft.public.sqlserver.security)
  • Re: Audit Logs
    ... >>I enabled the audit logs for object access on the ... The local computer Event Viewer is ... >> could check on these logs. ...
    (microsoft.public.win2000.group_policy)
  • Re: Audit Logs
    ... >I enabled the audit logs for object access on the default ... > domain policy. ... The local computer Event Viewer is showing ... > could check on these logs. ...
    (microsoft.public.win2000.group_policy)