Monitoring Windows Event Logs - A TutorialPart I - For beginnersIntroductionThis tutorial is aimed at helping you tighten your Windows security and proactively preventing performance degradation by identifying and monitoring critical Windows Events. Show
The tutorial is made available in two parts, with this first part covering topics focussed on what you need to know as a beginner about Event Logs and why they need to be watched. If you are a seasoned administrator or a network engineer, move on to part II and learn to set up Event Logs monitoring. What, Why, and How of Event LogsEvent logs are local files recording all the 'happenings' on the system and it includes accessing, deleting, adding a file or an application, modifying the system's date, shuting down the system, changing the system configuration, etc. Events are classified into System, Security, Application, Directory Service, DNS Server & DFS Replication categories. Directory Service, DNS Server & DFS Replication logs are applicable only for Active Directory. Events that are related to system or data security are called security events and its log file is called Security logs. The following sections provide more details on Windows Event Logs and what mandates their monitoring:
Event Log CategoriesThe Event logs are broadly classified into few default categories based on the component at fault. The different components for which events are logged include the system, the system security, the applications hosted on the system etc. Some applications log events in a custom category instead of logging them into the default Applications category.
Types of Event LogsEach event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error, Success Audit (Security Log) and Failure Audit (Security Log).
The Event Viewer lists the event logs like this: Understanding an EventEvents are listed with Header information and a description in the Event Viewer.
Double-click an event to see the details: How can security logs prevent hacks and data thefts?Security is the biggest concern every business faces today. Incidents like hacks and data thefts are continuously on the rise, exposing all segments of business to risks and leaving the administrators red-eyed. Various industrial researches reveal that majority of the hacks and thefts take place due to illegal authentication attempts. Auditing illegal or failed login attempts could prevent (or reduce) data thefts.That said, it is important that we know what an operating system can provide by way of security and what we must do to implement operating systems with the required security. Events that need auditing and audit planEvents are not logged by default for many security conditions which means that your resources are still exposed to hacks.You have to configure audit policies to audit the security events and log them.Critical security events that need auditing:
It is not necessary to configure all the audit policies. Doing so would result in logging for each and every action that take place and will increase the log size. The logs roll-over and depending the size of the roll-over configured, the older logs are deleted. Configuring the right policies that are really critical to your environment will improve the security. Auditing critical events are enabled by default for domain controllers. For the other Windows devices, configure the audit policies available under Local Security Settings. The audit policies available are:
Need for monitoring Event LogsThe need to adhere to security compliances such as SOX, HIPAA etc for the publicly traded companies, health care industry etc, necessitates implementing security management process to protect against attempted or successful unauthorized access. Securing the information on your network is critical to your business with or without having to comply to some standards. Windows event logs is one of the sources using which the login attempts can be tracked and logged. A manual check on every Windows device is tedious and impossible and warrants automated auditing and monitoring of event logs on a regular basis. Other Useful linksEnabling Security Audit in Windows Advanced Security Audit Policy Step-by-Step Guide Next : Part II Where are forwarded events stored?Windows allows events to be forwarded from one host to another and by default, the forwarded event will be stored in the Windows Logs > Forwarded Events folder but a different folder can be specified. You can configure the probe to monitor the forwarded events stored in any forwarded event log folder.
What are subscriptions in Event Viewer?Subscriptions are defined on the event collector through the new Event Viewer user interface by selecting the Create Subscription action, when the Subscriptions node is selected. The subscription may also be created via the WECUTIL command-line utility.
Which Event Viewer feature should you use to view events in multiple logs?Event Viewer enables you to filter for specific events across multiple logs, making it easy to display all events that are potentially related to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create a custom view.
What is forwarded events in Event Viewer?This log records events written by other computers in the same network ("source computers") that have forwarded their events to the "collector computer." By using the Forwarded Events log, you can keep track of the event logs of several other computers from one central location.
|