Event Log Management Best Practices: Define Your Audit Policy Categories (Part 1)

Speaking of networks as “living entities,” records of all events taking place in your environment are being logged right now into event logs and Syslog files across your servers, workstations and networking devices. Has somebody gained unauthorized to key enterprise information –such as customer credit card data, employees, patient or financial records or others? Is your compliance officer asking for SOX-centric reports? The best way to react and respond is by collecting, archiving, analyzing, alerting and reporting on key information entries stored in your log files. Compliance standards such as SOX, Basel II, HIPAA, GLB, FISMA, PCI DSS, and NISPOM require this.

Log management is a truly daunting task because log files can come from many different sources, in various formats, and in large quantities. Just consider that one single Windows server can generate 1GB of log data in just one single day! In order to stay on top of this deluge of info, you really need to build the right log management strategy.

Here at WhatsUp Gold, our Gurus have developed seven Best Practices for Event and Log Management (ELM) to get you started on the path towards efficient log management. Today I will cover the first of these helpful tips.

When developing an effective ELM strategy, it is important to first define your audit policy categories. The term audit policy, in Microsoft Windows lexicon, just refers to the types of security events you want to record in the security event logs of your servers and workstations. With Microsoft Windows NT® systems, you must set the audit policy manually, but in Windows 2000® or Windows 2003® Active Directory® domains, with “Group Policy” enabled, you can define uniform audit policy settings for groups of servers or the entire domain.

Key Windows Event Logging Categories to Enable
  • Logon Events – Success/Failure
  • Account Logons – Success/Failure
  • Object Access – Success/Failure
  • Process Tracking – Success
  • Policy Change – Success/Failure
  • Account Management – Success
  • Directory Service Access – Success/Failure
  • Systems Events  – Success/Failure

To read about all seven Best Practices, view the Whitepaper, or stay tuned for more of the ELM Best Practices Blog Series.

Related Posts

Get Started with WhatsUp Gold

Subscribe to our mailing listGet our latest blog posts delivered in a weekly email.

Leave a Comment

Your email address will not be published. Required fields are marked *