Definitely, for auditing purposes, you should use software that will send reliable Syslogs, as per RFC3195
Or something similar... -ASB: http://XeeSM.com/AndrewBaker On Thu, Jul 29, 2010 at 4:50 AM, Ken Schaefer <k...@adopenstatic.com> wrote: > We are implementing this in an even bigger environment. However syslog runs > over UDP (natively) and it’s not reliable. You’d need to use software that > gives you more reliability (e.g. by sending the traffic over TCP) if you > need this to produce reliable log files centrally. > > > > Cheers > > Ken > > > > *From:* Ziots, Edward [mailto:ezi...@lifespan.org] > *Sent:* Thursday, 29 July 2010 3:50 AM > > *To:* NT System Admin Issues > *Subject:* RE: Auditing in Windows 2008 and R2 what are folks doing? > > > > 800+ servers to a syslog? Plus going to have to put agents on every single > server in the domain? Really haven’t used Syslog much for the windows event > logging > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Wednesday, July 28, 2010 3:48 PM > *To:* NT System Admin Issues > *Subject:* Re: Auditing in Windows 2008 and R2 what are folks doing? > > > > EventCombMT still works... :) > > > > Why not export all the logs to SysLog, and spend a few tiny dollars on > searching those logs? > > - Syslog servers are cheap/free. > - Syslog forwarders for Windows are cheap/free. > - Tools to search consolidated logs range from free to exorbitant. > See Splunk on both accounts. :) > > > > Once you have established the value of log parsing and management, you'll > have a slightly better chance of procuring some funds. > > > > -ASB: http://XeeSM.com/AndrewBaker > > On Wed, Jul 28, 2010 at 3:38 PM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > Naa its far harder than that, I think someone said we can dump the event > logs via powershell, but using EventCombMT when I need to get something I > hope still works. Either that or I am going to have to bug MGMT again about > a dedicated eventlog management tool. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Wednesday, July 28, 2010 3:36 PM > > > *To:* NT System Admin Issues > > *Subject:* Re: Auditing in Windows 2008 and R2 what are folks doing? > > > > Tough gig then. Looks like you're going to be doing a lot of creative stuff > with *dumpel.exe* and the *findstr* command :-) > > On 28 July 2010 13:06, Ziots, Edward <ezi...@lifespan.org> wrote: > > I don’t have SCOM, I wish I had some event log auditing solution, been > asking for 5+ yrs, and all it ever falls on is deaf ears…. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* Malcolm Reitz [mailto:malcolm.re...@live.com] > *Sent:* Tuesday, July 27, 2010 6:29 PM > > > *To:* NT System Admin Issues > > *Subject:* RE: Auditing in Windows 2008 and R2 what are folks doing? > > > > Have you looked in to using the Audit Collection Services piece of SCOM? I > think ACS could be valuable for security event reporting and forensics use. > > > > -Malcolm > > > > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Tuesday, July 27, 2010 15:41 > *To:* NT System Admin Issues > *Subject:* Re: Auditing in Windows 2008 and R2 what are folks doing? > > > > I'm mainly interested in account lockouts, logons attempted under things > like built-in administrator accounts, high numbers of logon failures, and > any attempts to modify security policies and/or protected groups (such as > local admins, domain admins, server ops, and the like). We've also got > certain areas where file access is audited. > > I use SCOM to try and aggregate the events for me. This is quite handy, as > it also monitors things like failed su to root on our ESX servers and other > stuff outside of the Windows event logging arena. > > On 27 July 2010 20:15, Ziots, Edward <ezi...@lifespan.org> wrote: > > Hey gang, well I wanted to ask the group, what is everyone doing about > their audit policies on Windows 2008 R2 for domain controllers or member > servers. > > > > I have mapped out all the audit categories and sub-categories, and events, > but I don’t want the logs to turn into soup, so kinda wanted to see what > others were doing for which categories and subcategories they turned on > auditing for. Would be nice to bounce some ideas off about certain events. ( > Already plowed through M$ site descriptions, the Microsoft Security Resource > Kit and Randy Franklin Smith’s Eventlog site) > > > > Feel free to post here, or if you like catch me offline, love to hear the > feedback. After this its on to Firewall rules accordingly for the servers > and either scripting or GPOing that out for a baseline. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~