RE: [logs] Audit - Log Retention - How Long - Legal Requirements?

From: Rainer Gerhards (rgerhardsat_private)
Date: Wed Sep 10 2003 - 00:47:19 PDT

  • Next message: Ganu Skop: "Re: [logs] Log Script"

    I think as long as you extract them in a way that can easily be
    described and is routine and proviedes exact results, there is no
    difference between a parsed version and the actual event log raw files -
    at least this is my understanding from previous discussions on this
    I actually see value in not storing the files. You can change the SIDs
    to actual users, which makes review even after some years (and
    disappeared domains, delted users etc) much easier. Our solution will
    also soon support some cryptographic hashes over the event log entry, so
    they can be verified. Others may do other tricks...
    > If you archive Windows events in evt format, you preserve UTC 
    > timestamps
    > and the ability to use event viewer and the eventlog APIs to query the
    > log.  However, some SIDs in the log may not be able to be 
    > looked up and
    > translated to account names, for accounts that have been 
    > deleted between
    > log archival and log view.  Event messages can be viewed in 
    > any locale.
    > If you archive Windows events as txt, you must note the time 
    > zone of the
    > machine.  SID translation is done before conversion to txt, 
    > so SID-name
    > translation is not an issue, except for renamed accounts.  Event
    > messages will be stored in the locale where text conversion occurred.
    > I can't speak to the legal implications of either.
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 09:56:46 PDT