Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MS Audit logs

from [Daniel Cid] Network Security [Permanent Link]
Subject: RE: MS Audit logs
Date: Thu, 25 May 2006 14:04:02 -0300 (ART) 
Hi Davie,

Because you enabled every audit option, you will 
get a lot of useless and some useful information. You
can extract this events using snare to a log server,
but you will still have to analyze all the data in
there. If you have multiple servers it is going to be
hard to do it manually (and snare has no correlation
on it)..

I would recommend you to try *OSSEC. It has a windows
agent that will extract your windows logs and forward
them (encrypted) to an analysis server. In your
log analysis server, you need install the ossec server
to receive this events from windows (or from linux).
On the log server, OSSEC will correlate your windows
logs, generate alerts, generate responses, etc.

More info:
http://www.ossec.net

Windows agents info:
http://www.ossec.net/en/manual.html#windows

*ossec is open source and I'm part of its development.

hope it helps,

--
Daniel B. Cid
dcid @ ( at ) ossec.net



-----Original Message-----
From: Davie Elliott - Eluse
[mailto:delliott@eluse.co.uk] 
Sent: Sunday, May 21, 2006 8:27 AM
To: security-basics@securityfocus.com
Subject: MS Audit logs

Hi everyone,

I'm a bit of a newbie administrator, and I have a
quick question about
Microsoft windows audit logs.

Right now I have ticked every audit option in the
main GPO, so I get
tons of
audit objects to trawl through every week.
I was reading somewhere that MS Audit logs cycle or
something so after
24
hours I have lost some audit objects.
Also, I don't really know what I'm looking for in
the audits logs
anyway...
except for maybe checking if some users accounts
have been used when
they
shouldn't have.

Anyways, I was wondering what software would be good
for managing the
audit
logs?... I think I read a blog from an MS employee
saying someone should
use
3rd party software for managing the audit logs
instead of the built-in
windows thing.

Thanks for your help,

Davie.



                
_______________________________________________________ 
Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e 
anti-spam realmente eficaz. 
http://br.info.mail.yahoo.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: AD Policy audit tool for Windows 2000, Raoul Armfield
Next by Date:  RE: File server logging, Hayes, Ian
Previous by Thread:  RE: MS Audit logs, Nick Vaernhoej
Next by Thread:  ICMP ingress/egress filtering, Fernando Gont
Indexes:  [Date] [Thread] [Top] [All Lists]