Event logs have been a feature of the MS Operating System (Windows) since the original release of Windows NT in1993. Designed to provide an audit trail of system use, event logging records the actions that occur within the system, such as users logging in, failure of a component to start, or an attempt to print a document.
Event Log Management
Every event that occurs across a network can be recorded in an event log file. The list of events that are recorded by default can be modified to reflect the needs of the organizations system. Information stored in event log files is extremely useful to organizations as it provides real-time indications of network incidents as well as an audit trail of user activity. However extracting useful information can be challenging as it is very difficult to manage and filter the vast amount of data generated.
An organizations’ event log management is only as effective as the amount of data they are including from their networks activity. To be able to provide an accurate report on any particular part of the system, data needs to be generated for that part. For example, you cannot compile a report on who accessed a confidential file if you do not set up the file to raise an event (and have the event logged) when the file is accessed.
As the required level of monitoring depends on the organization and there are many event categories in security auditing, the first step is determining which event categories need to be audited. The following are a list of available categories:
- Account Logon Events
Track users logon and logoff events.
- Account Management
Tracks attempts to create users or groups, rename users or groups, enable user accounts, disable user accounts or change account passwords.
- Directory Service Access
Used with auditing tasks on domain controllers.
- Logon Events
Records creation and destruction of logon sessions (including remote sessions)
- Object Access
Used to record user access of objects such as files.
- Policy Change
Records changes to user rights assignment policies such as Windows Firewall Policy.
- Privilege Use
Records when users exercise a user privilege.
- Process Tracking
Tracks process information such as program activation/exit.
- System Events
Records system events such as shutting down a computer.
Each of these categories contains many subcategories and events which can be used to create a complete audit trail of system activity. It is recommended that only essential events are setup for auditing as generating a large number of events can severely affect system performance.
To enable audit log and specify the files/folders to audit in your operating system please refer to http://support.microsoft.com/
Vantage and Event Logs
After file auditing settings have been implemented on the system, it is a simple process to start managing event logs and extracting information. Although the MS provided interface for event logging and tracing has improved dramatically from the original, Vantage simply does a much better job at it. Hey, don’t take my word for it. Try out both and see for yourself.
WebSpy Vantage’s ability to translate event log data into manageable information will, among other things, enable organizations to:
- Monitor failed authentication attempts
Identify users trying to access files and folders they are not authorized to access, or the system failing to provide legitimate user access.
- Prevent data loss and leakage
Identify the access, modification or printing of confidential files to prevent information leakage or identify the person behind accidental or deliberate data loss.
- Ensure employees adhere to specified work schedules
Monitor event logs that record when an employee’s computer has been powered on or shut down.
Importing Event Logs into Vantage
The first step is to import Windows Event Logs into a storage in Vantage. This process can be added to run automatically at appropriate intervals using Tasks.
After creating a storage for Windows Event Logs, reports can be generated and analysis run. This will allow useful information to be extracted from Event Log data.
Vantage uses aliases for the creation of more meaningful information, for example, event ID’s are translated to an event category to enhance readability of generated reports and analysis. A list of event ID’s and their categories has been included at the bottom of this post for reference purposes.
Importing event logs into a storage:
- Open Vantage and click the Storages tab
- In the left pane, click Import Logs This will start the import dialog wizard
- Enter a name for the storage in the Create a new storage dialog box, then click Next
- Select the Windows Event Log radio button, then click Next
- Select the Microsoft format (description: Windows Event Log), then click Next
- Click Add, enter the name the computer in the Server dialog box, click OK and then click Next
- Continue through the wizard and select any filter, field or partitioning options to include, then click OK The event log data will now be imported into the storage
Generating a Report
- Click the Reports tab
- Select the type of Report to generate Note: Vantage includes many default templates for Windows Event Logs such as Failed Events, Application Errors and Failure Audit Trends.
- In the left pane, click Generate Report This will launch the Generate Report wizard
- Select the storage to report on Note: This should be the storage created previously for Windows Event Logs
- Select the document format(s) for the report
- Enter the report name in the Document Name dialog box
- Continue through the wizard and select any splitting, filtering or email options, then click OK The report will now be generated
Running an Analysis
- Click the Summaries tab
- In the left pane, click New Analysis This will launch the Create Analysis wizard
- Enter a name for the analysis in the Name dialog box, select the storage, and check that the schema is set to All Windows Event Schemas, then click Next
- Select the type of Analysis to run, then click Next
- Continue through the wizard and select any filtering or summaries options, then click OK The summary will now be generated
The summary allows interactive drilldowns to any level for data mining and information exploration.
Also see previous blog ‘File Access Reporting – How to report on who accessed a file or a folder‘.
If you have any questions about reporting on event logs don’t hesitate to get in touch with our support team.
Event ID’s and Categories
- Account Logon: 680
- Logon/Logoff: 529, 534, 537
- Installation: 17, 18, 19, 21
- Server: 958, 1485, 1486, 3408, 3454, 5084, 8128, 9666, 9688, 9689, 15268, 15457, 17069, 17101, 17103, 17104, 17110, 17111, 17115, 17125, 17126, 17136, 17137, 17147, 17148, 17162, 17164, 17176, 17199, 17403, 17550, 17551, 17656, 17658, 17663, 19030, 19032, 26018, 26048 Setup: 1017, 1019, 1020, 1023, 1025
- Policy Change: 612
- Web Event: 1309, 1310