Solved

Changing Audit log locations

Posted on 2006-11-17
2
199 Views
Last Modified: 2013-12-04
We have a situation where there are files that are sensitive enough we need them audited but only a select subset of users should be able to see those logs.  I need to seperate the auditing logs of those files from the auditing logs of the rest of the files on the system.  I have found the code to create more event logs but how can I direct certain security logs to that newly created event log instead of the standard Security event log.

Thank you
Adam
0
Comment
Question by:SAIonline
2 Comments
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 17969719
I dunno. Which ones?
You can try to search registry for filename, and change each one.
You 'should' have option available through menu system to get it right, I doubt that is well available
For some, such as Security log for the Event viewer, a right click gets allowance to display properties
From there, see C:\WINDOWS\System32\config\SecEvent.Evt as name of file (default)
Mine is changeable but greyed out. Yours?
You might have to reboot to local, off-net, then login as administrator, often meaning physically present at KB

I advise to NOT try. Reasoning is that there are far too many updates required, where too many things can go wrong such as, those who write update code neglect that there are possibilities other than defaults, and they may either set all back ( a tug of war) or end up with some messages going nowhere (if not crashing systems)

>  only a select subset of users should be able to see those logs

Sometimes it helps to have users read them to help desk. Too rarely, no one ever checks the logs for resolving problems. Users can also be a form of check and balance, where too many installers can cause a problem yet deny that they ever touched the machines (remotely). My preference would be dealing with users, try denying them access to directory store using Windows Explorer (or similar tool).

Check Local Security Settings \ Local Policies \ User Rights Assignments
for items like
Managing auditing and security log
0
 
LVL 2

Author Comment

by:SAIonline
ID: 17979098
SunBow
I am able to change where the default security entries are logged, but that doesn't get me to where I need to be.  On our file server there is a directory that only certain director and VP level users should be able to see.  We want to audit that directory but I am told that even our security team should not know what is in that directory.  That presents a problem because the security log will log the name of the file when someone attempts to gain (succefully or not) access to that file. The rest of the files should be (and are) audited normally by our security team.  I wanted to generate the logs for that directory and child objects to a different log file accessible by only those they deem fit.  Does that make more sense now?  I told them because of the nature of the directory that maybe it should be moved to a different server, but they wanted to try and leave it where it is for ease of use (VP's) if we can.  Any other ideas, even thrid party apps are on the table.  I need something that will only write events for a single directory to a seperate log of some kind, without disturbing the auditing already in place.  (Yes I know it may be futile)

Thank you
Adam
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now