On Fri, 17 Jan 2003, Eric Fitzgerald wrote: > I would be very interested in hearing any suggestions on how to improve > the ability to analyze the Windows security log. I've explained why some > of the events seem to be "missing" information even though the > information is really in the log, and Microsoft's strategy moving > forward, but if you have other suggestions then I would be very open to > hearing them. Hi Eric, I received this response from another person at our company- ==== In response to request for suggestions regarding auditing; Windows auditing should be tree oriented around objects known to Administrators, rather than time oriented as it is now (or the views should be switchable). Typically you reach a point in auditing where you want to track a user, machine, process, or other tangible object. Tracking by event ID, or time, is not appropriate at that point. Same is true in System logs (and other event logs). The biggest struggle with MS event logs has been digesting the information and knowing what you are trying to track. Tracking by known objects should make the process more comprehendible. So, for example, what did userX do since their next to last log off? What has been done on this machine? What has IIS been doing since it was last restarted? That sort of scenario. === I'll add my two cents, which is that the time-oriented view is _crucial_ to forensics, so "rather than" isn't realistic, but "as well as" would work quite nicely. Personally, I don't overly mind doing correlation (heck, that's half the value of doing the forensics well) as long as there's a good key to go off of. But I think the above point is valid, and should have at least some level of thought- even if it's weird, like something along the lines of per-object logging options for some events (like "I want to audit users, give me per-user logs" or "I want to audit tbird, shove that stuff over there, as well as here in the event log in traditional format....") I think "You can switch on this slower, but object/target/subject stuff on if you want" kind of thing might be a good idea given the level of admins we've seen of late running single-purpose systems like Web servers. Anyway, I wanted to throw it out there as a thought and see if you had some comments on views of log events in formats that those of us doing a lot of log processing don't tend to think of- the sorts of questions normal admis have that relate to logged events (I spend way too much time reading log tea leaves to diagnose attacks and malice to think much about normal daily adminish stuff.) Regards, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:14:23 PST