RE: MS Audit logs

From: Daniel Cid <danielcid@xxxxxxxxxxxx>
Date: Thu, 25 May 2006 14:04:02 -0300 (ART)

Hi Davie,

Because you enabled every audit option, you will
get a lot of useless and some useful information. You
can extract this events using snare to a log server,
but you will still have to analyze all the data in
there. If you have multiple servers it is going to be
hard to do it manually (and snare has no correlation
on it)..

I would recommend you to try *OSSEC. It has a windows
agent that will extract your windows logs and forward
them (encrypted) to an analysis server. In your
log analysis server, you need install the ossec server
to receive this events from windows (or from linux).
On the log server, OSSEC will correlate your windows
logs, generate alerts, generate responses, etc.

More info:
http://www.ossec.net

Windows agents info:
http://www.ossec.net/en/manual.html#windows

*ossec is open source and I'm part of its development.

hope it helps,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

-----Original Message-----
From: Davie Elliott - Eluse
[mailto:delliott@xxxxxxxxxxx]
Sent: Sunday, May 21, 2006 8:27 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a
quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the
main GPO, so I get
tons of
audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or
something so after
24
hours I have lost some audit objects.
Also, I don't really know what I'm looking for in
the audits logs
anyway...
except for maybe checking if some users accounts
have been used when
they
shouldn't have.

Anyways, I was wondering what software would be good
for managing the
audit
logs?... I think I read a blog from an MS employee
saying someone should
use
3rd party software for managing the audit logs
instead of the built-in
windows thing.

Thanks for your help,

Davie.

_______________________________________________________
Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz.
http://br.info.mail.yahoo.com/

References:
- RE: MS Audit logs
  - From: Nick Vaernhoej

Prev by Date: Re: AD Policy audit tool for Windows 2000
Next by Date: RE: File server logging
Previous by thread: RE: MS Audit logs
Next by thread: ICMP ingress/egress filtering
Index(es):
- Date
- Thread

Relevant Pages

Re: been hit by hacker, servudaemon installed
... Every single one of the web servers and internet server operating systems ... Windows, Apache, you name it. ... commands they entered in your IIS server logs. ...
(microsoft.public.inetserver.iis.security)
Re: been hit by hacker, servudaemon installed
... >Every single one of the web servers and internet server ... >Windows, Apache, you name it. ... >commands they entered in your IIS server logs. ...
(microsoft.public.inetserver.iis.security)
RE: CEICW-OMA errors
... I won't be able to take down the server to do all of this until tomorrow. ... then reproduce the issue by running CEICW again to capture logs. ... Filemon for Windows ... Windows Small Business Server\Support folder to me. ...
(microsoft.public.windows.server.sbs)
Re: SBS2000 X225 Server
... Have you checked the Workstation event logs? ... And the server starts ... It's almost as if Windows has 'paused' in that the screen keeps showing whatever was on it but no further interaction or activity can/is taking place. ... monitored (task manager running, scanning drives, installing monitoring ...
(microsoft.public.backoffice.smallbiz2000)
Re: Space on "C" disappearing - thought I did everything right
... In addition to what Russ said, I'm guessing that you may be having some logs ... When moving folders, especially your Exchange data base, to revisit ... How to move Exchange databases and logs in Exchange Server 2003 ... How to Move the Client Programs Folder to Another Location in Windows Small ...
(microsoft.public.windows.server.sbs)