Home page logo
/

basics logo Security Basics mailing list archives

RE: Windows Log
From: "dave kleiman" <dave () davekleiman com>
Date: Wed, 25 Jan 2006 09:23:30 -0500

Chuck,

Actually MSFT has that feature built into it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
or Security or System]
"MaxSize"=dword:06400000
"Retention"=dword:ffffffff
"AutoBackupLogFiles"=dword:00000001

Now the host will archive and store the event logs when they reach 100MB in
the default event log directory, using the following format:
Logname-YYYY-MM-DD-HH-MM-SSS-mmm.evt


Regards,

Dave


______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

www.SecurityBreachResponse.com
 




     -----Original Message-----
     From: Meredith, Charles (HRD)
     [mailto:Charles.Meredith () state ma us]
     Sent: Tuesday, January 24, 2006 11:38
     To: security-basics () securityfocus com
     Subject: RE: Windows Log

     Kind of related...
     While researching a similar problem, I found a tool that
     will help manage the archival of logs (you might want to
     do this). We wanted to keep an archive of audit logs
     (logon and logoff events) so I found a freeware utility
     from SysInternals called psloglist that will automatically
     clear and save your audit/security logs.
     http://www.sysinternals.com/Utilities/PsLogList.html
     Regards,
     Chuck

     -----Original Message-----
     From:
     security-basics-return-37793-Chuck.Meredith=hrd.state.ma.us
@securityfocus.com [mailto:security-basics-return-37793-
Chuck.Meredith=hrd.state.ma.us () securityfocus com] On
     Behalf Of List Spam
     Sent: Tuesday, January 17, 2006 10:08 AM
     To: security-basics () securityfocus com
     Subject: Re: Windows Log

     There are many types of logins that can be performed in an
     an AD environment.  Among these are full desktop logins by
     a user (aka interactive login), non-interactive network
     logins (e.g. mount a share), computer accounts
     authenticating to the domain, etc.

     I would venture a guess that you don't want to disallow
     the ability to log other security events, but want to
     easily find login events of some type (see above) without
     having to wade through the full set of logged data.  If
     this is the case, you could simply filter the logs to show
     the event id that is specific to the action you are looking to see.

     You could use the built-in "Event Viewer" application for
     it, EventCombMT (Google it), one of the resource kit log
     dumping utilitities, VBScripts, or just about anything
     else to export this info.  Some VBScript examples are below:

     http://www.microsoft.com/technet/scriptcenter/scripts/logs/
     eventlog/default.mspx

     I dare say that if you're trying to audit security on a
     box, you don't want to hack up the data collection
     facility, but want to simply get better use from that data.

     My two cetns.

     On 1/16/06, Rod <rod.rio () gmail com> wrote:
     > Hi all,
     >
     > I have a Win2k Server, who is my Domain Controller, and
     I'd like it to
     > log only the LOGON/LOGOFF events. I know that there are
     a whole class
     > of logon/logoff events, but I´d like to log only when a
     user logon
     > into a machine in the domain.
     >
     > Hope I was clear... thx
     >
     >
     > --
     > Rodrigo M. T. Fernandez
     > Departamento de Ciência da Computação UFRJ Grupo de Respostas a
     > Incidentes de Segurança - GRIS UFRJ www.dcc.ufrj.br |
     > www.gris.dcc.ufrj.br
     >
     >
     -----------------------------------------------------------
     -----------
     > ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE
     - ONLINE The
     > Norwich University program offers unparalleled Infosec
     management
     > education and the case study affords you unmatched
     consulting experience.
     > Tailor your education to your own professional goals with degree
     > customizations including Emergency Management, Business
     Continuity
     > Planning, Computer Emergency Response Teams, and Digital
     Investigations.
     >
     > http://www.msia.norwich.edu/secfocus
     >
     -----------------------------------------------------------
     -----------
     > ------
     >
     >

     -----------------------------------------------------------
     ----------------
     EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
     The Norwich University program offers unparalleled Infosec
     management education and the case study affords you
     unmatched consulting experience.
     Tailor your education to your own professional goals with
     degree customizations including Emergency Management,
     Business Continuity Planning, Computer Emergency Response
     Teams, and Digital Investigations.

     http://www.msia.norwich.edu/secfocus
     -----------------------------------------------------------
     -----------------




     -----------------------------------------------------------
     ----------------
     EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
     The Norwich University program offers unparalleled Infosec
     management education and the case study affords you
     unmatched consulting experience.
     Tailor your education to your own professional goals with
     degree customizations including Emergency Management,
     Business Continuity Planning, Computer Emergency Response
     Teams, and Digital Investigations.

     http://www.msia.norwich.edu/secfocus
     -----------------------------------------------------------
     ----------------






---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]