Keeping the noise down in your security log

re: Keeping the noise down in your security log

petal — Tue, 11 Jan 2005 22:32:00 GMT

Damn useful - thanks very much. I can see myself implementing some of these recommendations tomorrow. My current level of paranoia renders the security log very unfriendly without 3rd party tools.

Slightly OT, but do you know if the Microsoft Audit Collection System will allow agents to selectively ignore certain event types? Or is this no longer being developed? Or is a different solution envisaged for Longhorn?

re: Keeping the noise down in your security log

Eric Fitzgerald — Wed, 12 Jan 2005 00:24:00 GMT

ACS currently does not have filtering on the agent, however that is being considered prior to RTM.

The reason that we haven't implemented that is that it is a management feature, not a security feature. From a security perspective we want all events so that we can detect gaps in the event stream- there's no way for us to tell the difference at the collector whether the forwarder filtered an event, or whether the admin tampered with the log and deleted an event.

Two other mitigating factors:
1) If you don't want an event, don't generate it- use audit policy. Yes, I know that there are limits to this.
2) ACS uses a streaming compression algorithm (SLDC), which compresses extremely well. We've seen event streams which take only 11 bytes per event on the wire, including protocol overhead (YMMV).

For those of you unfamiliar with ACS, we'll publish news on it shortly. It's in a private beta state right now, I'll blog an entry when we open up the beta.

Thanks,
Eric

MIA Bloggers

bmonday(dot)com — Fri, 14 Jan 2005 08:59:00 GMT

re: Keeping the noise down in your security log

joe — Sat, 15 Jan 2005 22:50:00 GMT

I think something else that would be useful would be an event viewer that was more flexible in terms of what you want to view. Ability to filter out specific events and ability to have it highlight certain events you are concerned about or even pull them into a "watch these" separate display panel.

Personally I like a lot of information because you never know what little thing may make you realize something isn't right. However, the current state of event viewer is sort of like dir compared to explorer when looking at file listings only event viewer isn't even as flexible as dir.

joe

re: Keeping the noise down in your security log

Eric — Mon, 17 Jan 2005 06:30:00 GMT

Thanks for the feedback, Joe. I've pretty much said the same thing to the event viewer team; I'll pass along your comments!

Eric

What happened to my nice quiet audit logs?

E-Bitz - SBS MVP the Official Blog of the SBS — Thu, 20 Jan 2005 10:58:00 GMT

re: Keeping the noise down in your security log

Ashish (Logmaster) — Mon, 24 Jan 2005 21:35:00 GMT

I turn on "failure" logging, when trying to understand what a app is doing when its not working. Just did it today trying to get SQL Report Serivces to run. Its a pain to install it on a nonstandard system, especially when you run IIS in a very secure mode.

re: Keeping the noise down in your security log

Eric — Sat, 05 Feb 2005 01:46:00 GMT

Failure logging will probably always be yucky. We're working on some changes for longhorn that should make success auditing much more useful and less voluminous for object access, but all I can do for failures is log them. It's pretty common for apps to request more privilege than they need, trap the failure case so they can re-attempt open with less privilege, and trash my log.

I actually am having a discussion now with several teams on whether there is anything we think we can do. However no brainstorms yet.

Eric

Keeping the noise down in your security log

Dana Epp's ramblings at the Sanctuary — Sat, 12 Mar 2005 01:07:00 GMT

Eric posted an interesting article on how to cut down the noise of the security log in Windows Server. He points out a lot of interesting tidbits. I don't agree with them all, but that's just me. I'd rather wrestle with a little more noise on a hardened server and have to MUCH logs rather than not enough when doing a forensic audit. Of course, most people aren't even LOOKING at their logs, so its a moot point. Overall though, a very useful article on how to cut down the noise in your security logs on some areas of the system which are not that beneficial for you. Worth checking out. Happy reading....

Multiple Events for Successful Account Creation

Windows Security Logging and Other Esoterica — Thu, 01 Sep 2005 18:55:43 GMT

Here is the pattern you should expect to see when creating a local account.&nbsp; For domain accounts,...

Parolele Windows şi recomandări în rapoarte de audit. Dileme din practică

Adrian Munteanu - Jurnal de optimist — Tue, 17 Apr 2007 17:02:17 GMT

Deşi subiectul este destul de sensibil, risc. Mă frămîntă de vreo cîteva zile unele lucruri descoperite

Minimizing Directory Service Audit Event Noise

Windows Security Logging and Other Esoterica — Fri, 05 Sep 2008 04:20:02 GMT

I've written before on noise reduction in the Windows security event log. I've also written to describe

Windows Security Logging and Other Esoterica Keeping the noise down | Quick Diets

Sat, 13 Jun 2009 17:19:59 GMT

PingBack from http://quickdietsite.info/story.php?id=4374