Chapter 13
Getting the Most from the Windows Security Log
Even a handful of servers create more Security log data
than you can hope to monitor and analyze manually. Frequent use of Auditpol and
Wevtutil will enable you to become a master at understanding event logging in
Windows. Both of these tools are essential and have no substitute
at the time of this writing.
The Windows and laters Event Viewer was greatly improved
over earlier versions. The ability to filter events is
also a big plus. LogParser is a terrific free utility that can help you with
filtering tasks, but most organizations ultimately see the need for a full
Security log–management solution.
If you are evaluating such solutions, make sure you select
one that fits your needs. If you have more than a dozen servers, you need to
factor scalability into your evaluation plan. Performance also becomes an issue
when you need to monitor systems across slow WANs.
Make sure that the solution supports the alert methods
that your staff requires, be it pager, email, SNMP traps, or execution of a
script. Check out the reporting mechanism. I’ve never seen a solution that
offers all the reports you might ever need, so how sophisticated is the
user-definable report capability? What are your archival needs?
Does the solution's architecture fit your environment?
Some solutions require you to deploy agents on each monitored system. Agents
provide many advantages but also drive up implementation costs and can create
problems for server administrators.
Is interoperability (such as support for Syslog) important
to you? Does the tool need to accept Syslog data streams as input? Do you need
to be able to send Windows security events to a Syslog server or a database
such as Microsoft SQL Server?
Don't forget the issue of separation of duty. Do you have
a large IT department that includes separate staff to monitor security? If so,
is the solution part of a larger operations framework that will be under the
control of the very folks you need to monitor?
Finally, ask yourself whether the solution provides
integrity and confidentiality of log data as it traverses your network,
database, and archive files.
Keep Learning
As you spend time with the Windows Security log, you’ll be
able to interpret more and more of its obscure codes and make inferences based
on patterns you begin to recognize. At times you’ll find that expected events
just don’t appear. We recommend that you test any implementation of event
alerts or reports. The best way to gain skill is to perform the actions you
want to track and then analyze the events that Windows logs in response to
those actions.
That sequence of activities might be the opposite of what
you expect. But after many years of analyzing Security logs, I’ve found that
it’s better to determine what you want to audit and then find it in the
Security log rather than to try to understand and eliminate events. Don’t treat
the Security log like an exception list in which each item needs to be followed
up on. The Security log just wasn’t designed that way—in fact, it wasn’t really
designed at all. Only in the past few years has Microsoft created a
Windows product group team that owns the Windows audit function. Prior to that,
each team basically got a range of event IDs and used them as they saw fit or
as dictated by Common Criteria requirements. Too much noise exists in the
Security log, and too many events can be explained only after a lot of
experimentation and conversations with a Microsoft support engineer.
If you choose to ignore the advice in the preceding paragraph,
you'll definitely learn a lot about the Security log and discover some of its
more-arcane secrets. More than once, I’ve discovered a new and useful event ID
by querying the log for every unique event ID. Other times, I’ve used this
method on a particular description field when we wanted to learn its full set
of potential values.
The Security log has plenty to offer those willing to
learn and experiment. Researching the log carries an added bonus: The more you
learn about the Security log, the more you will understand the security
infrastructure of the largest and most widely used operating system in the
world.
More Windows Security Log Help