Re: [logs] Windows Event Log Analysis

• Previous message: wolfgangat_private: "[logs] syslog compatibility (was: Syslog payload format)"
• In reply to: Buck Buchanan: "[logs] Windows Event Log Analysis"
• Next in thread: Buck Buchanan: "RE: [logs] Windows Event Log Analysis"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
> I discovered yesterday that Windows does not always
> log process creation and termination.

Not by default, no.  

I read through the rest of your post, and noticed one
glaringly absent piece of information...what your
auditing configuration looked like.  You never
specified whether or not you had Process Tracking
(both success and failure events) enabled in the
EventLog configuration.  It seems that you do have
Object Access enabled, but perhaps not Process
Tracking.

I only point out the above b/c I don't want to err and
assume that you do have the necessary logging enabled.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Previous message: wolfgangat_private: "[logs] syslog compatibility (was: Syslog payload format)"
• In reply to: Buck Buchanan: "[logs] Windows Event Log Analysis"
• Next in thread: Buck Buchanan: "RE: [logs] Windows Event Log Analysis"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:55:49 PST