LogAnalysis
[logs] "Missing" Microsoft Event Log events Oct 30 2007 06:05PM
Tina Bird (tbird precision-guesswork com) (1 replies)

Hi all --

In my latest bout of centralizing information about events relevant to
administration and compliance management, I am reviewing my documentation on
Microsoft audit policies and the events they control. This work uses this
document

http://www.splunkbase.com/howtos/Operating_Systems/Windows/howto:HOWTOun
ders
tandMSEventLog

or http://tinyurl.com/39uny7

as its starting point; for the HOWTO doc I went through each of the
Microsoft documents describing areas of local security policy related to
auditing, and summarized the specific event IDs associated with a given
option in the audit configuration.

As I work my way through this list, trying to identify things like what
kinds of information are recorded in each event, I'm discovering numerous
messages that are included in the audit policy documentation, but don't seem
to be included in the Event Log any more. For instance, according to

http://technet2.microsoft.com/windowsserver/en/library/50fdb7bc-7dae-4dc
d-85
91-382aeff2ea791033.mspx?mfr=true

or http://tinyurl.com/36nxgp, the MS doc entitled "Audit object access,"
there's a host of events with IDs in the 770s related to certificate
authority activity and cert management. Of the 3 I've checked so far, none
of those messages can be found in the Errors and Events Message Center:

http://www.microsoft.com/technet/support/ee/ee_advanced.asp

I vaguely recall that MS CA activity is now all recorded in a text log
somewhere; in fact,

http://technet2.microsoft.com/WindowsServer/en/library/b70185ed-93aa-434
6-b8
69-9913282086af1033.mspx?mfr=true

or http://tinyurl.com/2n48zp, written at around the same time the "Audit
object access" page was last reviewed, states that CA transaction logs are
stored in a file (in an unspecified location, sigh).

So are the audit policy documents just seriously out of date? Or am I
missing something? If these particular events can no longer be generated
because activity is now recorded outside the Event Log, why haven't the
audit policy documents been updated?

And for event IDs that are still active, wouldn't it be great if the audit
policy doc linked those messages to their complete descriptions from the
Errors and Events database?

yours perplexedly -- tbird
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] "Missing" Microsoft Event Log events Nov 05 2007 06:25PM
Eric Fitzgerald (Eric Fitzgerald microsoft com)


 

Privacy Statement
Copyright 2010, SecurityFocus