The Windows Security Log Revealed

Chapter 13
Getting the Most from the Windows Security Log

Even a handful of servers create more Security log data than you can hope to monitor and analyze manually. Frequent use of Auditpol and Wevtutil will enable you to become a master at understanding event logging in Windows. Both of these tools are essential and have no substitute at the time of this writing.

The Windows and laters Event Viewer was greatly improved over earlier versions. The ability to filter events is also a big plus. LogParser is a terrific free utility that can help you with filtering tasks, but most organizations ultimately see the need for a full Security log–management solution.

If you are evaluating such solutions, make sure you select one that fits your needs. If you have more than a dozen servers, you need to factor scalability into your evaluation plan. Performance also becomes an issue when you need to monitor systems across slow WANs.

Make sure that the solution supports the alert methods that your staff requires, be it pager, email, SNMP traps, or execution of a script. Check out the reporting mechanism. I’ve never seen a solution that offers all the reports you might ever need, so how sophisticated is the user-definable report capability? What are your archival needs?

Does the solution's architecture fit your environment? Some solutions require you to deploy agents on each monitored system. Agents provide many advantages but also drive up implementation costs and can create problems for server administrators.

Is interoperability (such as support for Syslog) important to you? Does the tool need to accept Syslog data streams as input? Do you need to be able to send Windows security events to a Syslog server or a database such as Microsoft SQL Server?

Don't forget the issue of separation of duty. Do you have a large IT department that includes separate staff to monitor security? If so, is the solution part of a larger operations framework that will be under the control of the very folks you need to monitor?

Finally, ask yourself whether the solution provides integrity and confidentiality of log data as it traverses your network, database, and archive files.

Keep Learning

As you spend time with the Windows Security log, you’ll be able to interpret more and more of its obscure codes and make inferences based on patterns you begin to recognize. At times you’ll find that expected events just don’t appear. We recommend that you test any implementation of event alerts or reports. The best way to gain skill is to perform the actions you want to track and then analyze the events that Windows logs in response to those actions.

That sequence of activities might be the opposite of what you expect. But after many years of analyzing Security logs, I’ve found that it’s better to determine what you want to audit and then find it in the Security log rather than to try to understand and eliminate events. Don’t treat the Security log like an exception list in which each item needs to be followed up on. The Security log just wasn’t designed that way—in fact, it wasn’t really designed at all. Only in the past few years has Microsoft created a Windows product group team that owns the Windows audit function. Prior to that, each team basically got a range of event IDs and used them as they saw fit or as dictated by Common Criteria requirements. Too much noise exists in the Security log, and too many events can be explained only after a lot of experimentation and conversations with a Microsoft support engineer.

If you choose to ignore the advice in the preceding paragraph, you'll definitely learn a lot about the Security log and discover some of its more-arcane secrets. More than once, I’ve discovered a new and useful event ID by querying the log for every unique event ID. Other times, I’ve used this method on a particular description field when we wanted to learn its full set of potential values.

The Security log has plenty to offer those willing to learn and experiment. Researching the log carries an added bonus: The more you learn about the Security log, the more you will understand the security infrastructure of the largest and most widely used operating system in the world.

More Windows Security Log Help

Back to top

Supercharger Free Edition

Centrally manage WEC subscriptions.




Additional Resources