I think you need to be firing up the trial version of SCOM and getting 60 days of heavy usage out of it, then use the (hopefully good!) results as a carrot to entice the purse-masters with....
On 28 July 2010 20:38, Ziots, Edward <ezi...@lifespan.org> wrote: > Naa its far harder than that, I think someone said we can dump the event > logs via powershell, but using EventCombMT when I need to get something I > hope still works. Either that or I am going to have to bug MGMT again about > a dedicated eventlog management tool. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Wednesday, July 28, 2010 3:36 PM > > *To:* NT System Admin Issues > *Subject:* Re: Auditing in Windows 2008 and R2 what are folks doing? > > > > Tough gig then. Looks like you're going to be doing a lot of creative stuff > with *dumpel.exe* and the *findstr* command :-) > > On 28 July 2010 13:06, Ziots, Edward <ezi...@lifespan.org> wrote: > > I don’t have SCOM, I wish I had some event log auditing solution, been > asking for 5+ yrs, and all it ever falls on is deaf ears…. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* Malcolm Reitz [mailto:malcolm.re...@live.com] > *Sent:* Tuesday, July 27, 2010 6:29 PM > > > *To:* NT System Admin Issues > > *Subject:* RE: Auditing in Windows 2008 and R2 what are folks doing? > > > > Have you looked in to using the Audit Collection Services piece of SCOM? I > think ACS could be valuable for security event reporting and forensics use. > > > > -Malcolm > > > > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Tuesday, July 27, 2010 15:41 > *To:* NT System Admin Issues > *Subject:* Re: Auditing in Windows 2008 and R2 what are folks doing? > > > > I'm mainly interested in account lockouts, logons attempted under things > like built-in administrator accounts, high numbers of logon failures, and > any attempts to modify security policies and/or protected groups (such as > local admins, domain admins, server ops, and the like). We've also got > certain areas where file access is audited. > > I use SCOM to try and aggregate the events for me. This is quite handy, as > it also monitors things like failed su to root on our ESX servers and other > stuff outside of the Windows event logging arena. > > On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote: > > Hey gang, well I wanted to ask the group, what is everyone doing about > their audit policies on Windows 2008 R2 for domain controllers or member > servers. > > > > I have mapped out all the audit categories and sub-categories, and events, > but I don’t want the logs to turn into soup, so kinda wanted to see what > others were doing for which categories and subcategories they turned on > auditing for. Would be nice to bounce some ideas off about certain events. ( > Already plowed through M$ site descriptions, the Microsoft Security Resource > Kit and Randy Franklin Smith’s Eventlog site) > > > > Feel free to post here, or if you like catch me offline, love to hear the > feedback. After this its on to Firewall rules accordingly for the servers > and either scripting or GPOing that out for a baseline. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
