Focus on Microsoft
Windows event logs to filter/ignore Sep 22 2010 02:54PM
Youngquist, Jason R. (jryoungquist ccis edu) (1 replies)
RE: Windows event logs to filter/ignore Sep 22 2010 03:09PM
Allan Jones (ajones pop com br)
Jason,

Have you tried GPO's for the filtering?

Regards,
Damien

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Youngquist, Jason R.
Sent: quarta-feira, 22 de setembro de 2010 11:54
To: 'focus-ms (at) securityfocus (dot) com [email concealed]'
Subject: Windows event logs to filter/ignore

We are sending logs from Windows servers to a centralized collector. The
Windows servers are consistently sending all kinds of events to the
collector. I'm seeing a bunch of Security:538 and Security:576 events. For
example, one particular server is sending Security:538 events and
Security:576 events several times a minute. Over a period of time that I
was looking at, these two events accounted for 92% of the events being sent
from the server. When I looked at the events they basically said the same
thing over and over...Security:576 - "Special privileges assigned to new
login, username: administrator...." And Security:538 - "User Logoff: User
name: administrator...."

I'd like to filter out these events before they hit the collector, but I'm
afraid of filtering out too much and potentially missing a log entry that
could help with an incident, while at the same time I don't want to send and
store logs that aren't useful.

Thoughts?

Thanks.
Jason Youngquist

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus