Logging Basics
Logs are records of events that happen in your computer,either by a running process.They help you track what happened and troubleshoot problems.
The most common location for logs in Windows is the Windows Event Log. It contains logs from the operating system and several applications such as SQL server or IIS.The logs use a structured data format,making then easy to search for analyze.Additionally,some applications write to log files, for example IIS access logs in text format .
Auditing Windows Server
Audit policy
Establishing audit policy is an important fact of security.Monitoring the creation or modification of objects gives you a way to track potential security problems,helps to ensure user accountability and provides evidence in the event of a security breach.
Account logon event
Audit this to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account.
Account Management
Audit this to see when someone has changed an account ,hanged a password or changed a user group.
Directory service access
Audit this to see when someone accesses an Active Directory directory service service object that has it's own System Access Control List (SACL).
Logon Events
Audit this to see when someone has logged on or off your computer.
Object access
When someone has used a file,folder,printer or other object.While you also audit registry keys,we don't recommended that unless you have advanced computer knowledge and know how to use registry.
Policy change
to see attempts to change local security policies and to see if someone has changed user rights assignments,auditing policies or trust policies.
Privilege use
Audit this to see when someone performs a user right.
Process tracking
To see when events such a program activation or a process exiting occur.
System events
To see when someone has shit down or restarted the computers or when a process or program tries to do something that it does not have permission to do.
0 Comments