GFI
English Deutsch Français Italiano Nederlands Español

 

Introduction to event logging & auditing

After you have installed GFI LANguard S.E.L.M., you have to make sure that the machines you wish to monitor have event logging enabled for the actions you wish to audit.

By default, auditing of all security categories is disabled!

You are required to establish an audit policy which fits your needs by determining which types of security events you consider most important to be brought to your attention, and hence want to audit. Auditing can be set to monitor both operating system events – logons and logoffs – as well as individual object accesses. An object in windows NT/2000 is anything from a file system object, registry key and printer. Once you have decided your auditing objectives, your next task is to decide on the categories of events you want to audit.

You can configure event logging on a machine-by-machine basis using GFI LANguard S.E.L.M., or else via the use of group policies. If you are monitoring large numbers of workstations and servers though, it makes sense to enforce the appropriate event logging on a network wide basis. Especially if you have a Windows 2000 network this is easily implemented using a Group policy.

There are nine security categories which can be configured to generate events depending upon your auditing requirements:

  1. Audit account logon events – this category will generate a success or failure events whenever a domain controller receives a logon request.
  2. Audit account management - this category will generate a success or failure events whenever a user account or group is created, renamed, changed or deleted. This includes the creation of events when passwords are changed, and user accounts are enabled or disabled.
  3. Audit Directory Service Access - this category will generate a success or failure events whenever an Active Directory object is accessed/changed. This category will generate events in another event log which is only present on Windows 2000 Domain Controllers.
  4. Audit Logon events – This category is separate from the "Audit Account logon events". This category will generate a success or failure events when a user logs in or out of the system. Events are also generated when a user connects or disconnects from a system via either an interactive type of logon, or via a network type of logon.
  5. Audit object access - This category will generate a success or failure events when a user specified object – file, directory, registry key, printer - is accessed or changed.
  6. Audit Policy Change - This category will generate a success or failure events when a user makes high-level changes to the security policies. These changes may include anything from changing user rights and privileges to changing audit policies.
  7. Audit Privilege Use - This category will generate a success or failure events whenever a user makes use of certain administrative privileges which you may have assigned to that user.
  8. Audit Process Tracking - This category will generate a success or failure event whenever a process is launched, a handle to an object is duplicated, objects are accessed indirectly and also whenever a process exits.
  9. Audit System Events - This category will generate a success or failure event whenever an event which effects the entire system occurs. Such events include having the system shut down or restarted. A system event will also be generated when the security log fills up.

Home Contents Previous Next

   © 2008. All rights reserved. GFI Software Home Products Download Trials Support Ordering Site Map About Us Contact us
GFI solutions: anti spam - exchange anti virus - isa server - network vulnerability scanner - event log management - USB security software - exchange archiving - fax server software