RE: [logs] Windows Logs Auditing

From: Rainer Gerhards (rgerhardsat_private)
Date: Mon Aug 04 2003 - 06:36:39 PDT

  • Next message: Rainer Gerhards: "[logs] New easy to use library for syslog/tcp via RFC 3195"

    Luis,
    
    > You are right Rainer,
    > actually we are not auditing anything in our network (our 
    > Audit Policy is "Do Not Audit"), and we gonna start auditing 
    > everything (see the image attached). 
    > My doubts are:
    > 
    > 1.- What's gonna be the impact of our "full auditing" 
    > desition?, how can I evaluate it?
    > 
    > 2.- When we will get the information contained in the 
    > generated log files, how can we "read" the information they contain?.
    > 
    > 3.- How necceary is the "full auditing" in a network?
    
    Actually, I would recommend to define first what you are looking for.
    Everything is really much. Of course it helps, but depending on what
    your goal is, you may eventually need to turn out some file system
    audits. Other audit logs may not be necessary. In plain, you can't turn
    on full auditing logs including file system - at least if you don't
    expect to spend around half to 90% of your hardware for auditing
    purposes...
    
    ... At least this is my experience - anybody else?
    
    Rainer
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Aug 06 2003 - 07:16:53 PDT