Durf: He needs a better definition of the need. You say I am wrong and then go on to speak of defined needs with legistation mentioned. I totally agree (didnt I just say that)? The windows event log alone won't do it. If you go over 300MB on a 2003 server you will have perfomance issues. You then go on to and mention GFI which is a product designed to do this. Okay.
To the OP: If you do decide to use the built in security log, please make sure you run down the event log size limitations. Also understand that there is a chance of loosing audit data. If that's important - then you must offload the audit logging. Oh dang there is that "define the needs" thing again. By all means use it if it works for you, it does for us. More on event log limitation: http://technet.microsoft.com/en-us/library/cc778402.aspx http://techrepublic.com.com/5208-7343-0.html?forumID=101&threadID=256498 http://redmondmag.com/columns/article.asp?EditorialsID=743 I hope this helps you in your choices, that's what this list is all about. -Devin On Wed, Jan 7, 2009 at 11:54 AM, Durf <stygm...@gmail.com> wrote: > We aren't partially right - we are entirely right. > The whole point of GFI EventSentry is to *gather the events from Windows and > store them in SQL*. So I can safely disregard your whole first paragraph as > frankly ignorant of the possibilities. > If you have any clients who have compliance needs, such as the recent > Massachussets data privacy regulations, or basically any HIPAA, SARBOX, etc > kind of requirements, this is the product that will accomplish these needs. > > Using the Windows Event Log properly and auditing for Security Events, you > can tell who made any modifications to accounts, password changes, security > priv elevations...and so forth. > There are several products that can accomplish this - I don't want to > evangelize GFI; they are just the product I am familiar with. I'm not a > reseller or GFI employee. However, the fact it IT CAN DO WHAT THE OP > REQUESTED, in combination with other products and techniques. > Please, you all, stop saying different unless you have actual knowledge to > the contrary. There are a lot of reasons why the OP *should* not do such a > thing. But they *can* if they need to. > -- Durf > -- Durf > On Wed, Jan 7, 2009 at 12:07 PM, Devin Meade <devin.me...@gmail.com> wrote: >> >> Okay guys I suppose you are partially right. The need was stated to >> carte blanche audit everything. The built in windows audit *has a >> limit*. It can be overwritten when full. You can loose events. That >> doesn't fill this need. The need needs to be clarified -- maybe >> "audit file changes on X drive over the last Y days". >> >> If you need to audit everything there is a chance that using windows >> security log wont meet that need. That's all I was getting at. Our >> file shares have auditing for file changes and we overwrite events as >> needed. I have used eventcomb to mine our audit entries and it works >> for our need. Again, the need must be defined. One one box, we do >> get only about a weeks worth of audit entries then they are >> overwritten. That meets our need and our owners understand this. >> >> I deal with these off-the-cuff requests all the time. The request is >> made - I deliver the cost. The request is re-defined. I answer with >> a different cost. Reminds me of building our house. Start out at >> 4500sq ft and then see the cost, then start cutting back. >> >> Devin >> >> >> On Wed, Jan 7, 2009 at 10:47 AM, David Lum <david....@nwea.org> wrote: >> > Log files don't need to be big if you know what you're looking for. It >> > goes >> > back to the "I *can* audit everything, but what are you looking for"? I, >> > for >> > example, have monitoring software and I look for application installs on >> > all PC's for a 50-user company by simply having it look for Event ID >> > 11707 >> > in the Application log of each PC. Log files are set to their normal >> > size >> > (16MB), and whatever meets the criteria I get an e-mail about, I don't >> > have >> > to search a log for anything. >> > >> > If you know what you're looking for, you can be proactive an never have >> > to >> > manually dig through log files. As Durf says, log files will take care >> > of >> > the needs, but knowing what you're looking for saves a LOT of time. >> > >> > Durf is right, you can accomplish this with auditing settings and an >> > application that can read logs. >> > David Lum // SYSTEMS ENGINEER >> > NORTHWEST EVALUATION ASSOCIATION >> > (Desk) 971.222.1025 // (Cell) 503.267.9764 >> > -----Original Message----- >> > From: Devin Meade [mailto:devin.me...@gmail.com] >> > Sent: Wednesday, January 07, 2009 8:32 AM >> > To: NT System Admin Issues >> > Subject: Re: Auditing Everything >> > >> > Watch out setting the server's event log bigger than 300MB. CHeck this >> > out: >> > >> > >> > http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Admin/MaximumsizeforEventlogs.html >> > >> > You are gonna have to use something other than windoze file auditing >> > due to this limit. Something designed for $$ this $$ need $$. Like I >> > see in other posts, you will need multiple tools. We use MS ISA's >> > logging for web surfing history - it works well if setup right. >> > >> > Something tells me he wants it at no cost. >> > >> > hth,Devin >> > >> > On Wed, Jan 7, 2009 at 9:31 AM, Michael B. Smith >> > <mich...@theessentialexchange.com> wrote: >> >> Is he a control freak, or what? >> >> >> >> >> >> >> >> ISA can give you web auditing. For the rest, you'll need a third party >> >> application. (And you can also go third-party for web auditing – >> >> WebSense >> >> is >> >> probably the most popular.) >> >> >> >> >> >> >> >> Personally, I'm fond of NetPro's ChangeAuditor (they were recently >> >> acquired >> >> by Quest). NetWrix also has a suite of tools for this that is installed >> >> at >> >> one of my clients. >> >> >> >> >> >> >> >> To audit EVERYTHING, you may find it necessary to add a server that >> >> does >> >> nothing but process audit records. The volume is quite large, even in a >> >> small network. >> >> >> >> >> >> >> >> Regards, >> >> >> >> >> >> >> >> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >> >> >> >> My blog: http://TheEssentialExchange.com/blogs/michael >> >> >> >> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php >> >> >> >> >> >> >> >> From: Alex Carroll [mailto:acarr...@crabco.net] >> >> Sent: Wednesday, January 07, 2009 10:25 AM >> >> To: NT System Admin Issues >> >> Subject: Auditing Everything >> >> >> >> >> >> >> >> I have a request from my CEO to audit everything that happens on our >> >> network. When users open files, when they change files, delete files, >> >> use >> >> any programs, go to any websites (we use ie7, firefox), etc etc etc. >> >> Do >> >> any >> >> of you have a good solution you can recommend for that? I can google >> >> all >> >> I >> >> want, but I won't know the real world experience by doing that. We are >> >> a >> >> smaller company – 16 users. Right now we have 3 servers (1 SBS 03, 2 >> >> that >> >> are 2003) in production. We use XP and Vista. >> >> >> >> >> >> >> >> Thanks in advance! >> >> >> >> >> >> >> >> Alex Carroll >> >> >> >> Software Support >> >> >> >> Crabtree Companies, Inc. >> >> >> >> 651-688-2727 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> > >> > >> > -- >> > Devin >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > >> > >> > >> > >> > >> >> >> >> -- >> Devin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > -- > -------------- > Give a man a fish, and he'll eat for a day. > Give a fish a man, and he'll eat for weeks! > > > > -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
