Monitoring Windows Event Logs - A TutorialPart I - For beginnersIntroductionThis tutorial is aimed at helping you tighten your Windows security and proactively preventing performance degradation by identifying and monitoring critical Windows Events. Show
The tutorial is made available in two parts, with this first part covering topics focussed on what you need to know as a beginner about Event Logs and why they need to be watched. If you are a seasoned administrator or a network engineer, move on to part II and learn to set up Event Logs monitoring. What, Why, and How of Event LogsEvent logs are local files recording all the 'happenings' on the system and it includes accessing, deleting, adding a file or an application, modifying the system's date, shuting down the system, changing the system configuration, etc. Events are classified into System, Security, Application, Directory Service, DNS Server & DFS Replication categories. Directory Service, DNS Server & DFS Replication logs are applicable only for Active Directory. Events that are related to system or data security are called security events and its log file is called Security logs. The following sections provide more details on Windows Event Logs and what mandates their monitoring:
Event Log CategoriesThe Event logs are broadly classified into few default categories based on the component at fault. The different components for which events are logged include the system, the system security, the applications hosted on the system etc. Some applications log events in a custom category instead of logging them into the default Applications category.
Types of Event LogsEach event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).
The Event Viewer lists the event logs like this: Understanding an EventEvents are listed with Header information and a description in the Event Viewer.
Double-click an event to see the details: How can security logs prevent hacks and data thefts?Security is the biggest concern every business faces today. Incidents like hacks and data thefts are continuously on the rise, exposing all segments of business to risks and leaving the administrators red-eyed. Various industrial researches reveal that majority of the hacks and thefts take place due to illegal authentication attempts. Auditing illegal or failed login attempts could prevent (or reduce) data thefts.That said, it is important that we know what an operating system can provide by way of security and what we must do to implement operating systems with the required security. Events that need auditing and audit planEvents are not logged by default for many security conditions which means that your resources are still exposed to hacks.You have to configure audit policies to audit the security events and log them.Critical security events that need auditing:
It is not necessary to configure all the audit policies. Doing so would result in logging for each and every action that take place and will increase the log size. The logs roll-over and depending the size of the roll-over configured, the older logs are deleted. Configuring the right policies that are really critical to your environment will improve the security. Auditing critical events are enabled by default for domain controllers. For the other Windows devices, configure the audit policies available under Local Security Settings. The audit policies available are:
Need for monitoring Event LogsThe need to adhere to security compliances such as SOX, HIPAA etc for the publicly traded companies, health care industry etc, necessitates implementing security management process to protect against attempted or successful unauthorized access. Securing the information on your network is critical to your business with or without having to comply to some standards. Windows event logs is one of the sources using which the login attempts can be tracked and logged. A manual check on every Windows device is tedious and impossible and warrants automated auditing and monitoring of event logs on a regular basis. Other Useful linksEnabling Security Audit in Windows Advanced Security Audit Policy Step-by-Step Guide Next : Part II What type of records are data the system maintains such as system log files and proxy server logs?Forensics - M Choice. When seizing computer evidence in criminal investigations follow the standards for seizing digital data?Computer Forensics. Which command displays pages from the online help manual for information on Linux commands and their options?man command in Linux is used to display the user manual of any command that we can run on the terminal.
What are the three rules for a forensic hash?What are the three rules for a forensic hash? It can't be predicted, no two files can have the same hash value, and if the file changes, the hash value changes.
|