Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Security Log analysis / reporting tools

Posted on 2006-04-24
4
Medium Priority
?
235 Views
Last Modified: 2013-12-04
I have a Windows SBS 2003 server and would like to track user activity (such as read, create, modify on dirs & files) using the SACL of AD. Enabling an audit of directory service access writes all events to the security log. Going through this info is time-consuming and a real nightmare!

I am after a tool which does this for me so that I can query and report the security log i.e. which user last had access to file1 or which files has user1 last edited/accessed.

any ideas?
0
Comment
Question by:omb
3 Comments
 
LVL 16

Accepted Solution

by:
JammyPak earned 90 total points
ID: 16530948
Note that enabling auditing of "Directory Service Access" is NOT auditing access to files and directories - it's actually auditing access to the Active Directory database.

You want to enable "Audit Object Access" - that will allow you to go into the properties of a directory, and turn on auditing and select for which users/groups to audit.

After that, you should start seeing data in the security log. To query it, look at MS Log Parser:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Here's an article on using it to parse IIS logs (not exactly what you want, but might be interesting)
http://www.securityfocus.com/infocus/1712

Here's an overview of the different security log event IDs you'll see:
http://www.ultimatewindowssecurity.com/events/com212.html





0
 
LVL 3

Author Comment

by:omb
ID: 16533076
Thanks for the clarification. I have now enabled "Audit Object Access" and specified which dirs I would like audited. Now, lots of events are being written to my security log.

I have checked out MS Log Parser... looks OK but I would prefer a GUI-based program. Any ideas of other software with a nice graphical interface which could analyse and report on the security log events?

Thanks
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 60 total points
ID: 16536843
GFI's SELM is great, but cost money: http://www.gfi.com/lanselm/
And yes you should turn up the logging if your using the default that the OS uses out of the box.
-rich
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question