Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 207
  • Last Modified:

Changing Audit log locations

We have a situation where there are files that are sensitive enough we need them audited but only a select subset of users should be able to see those logs.  I need to seperate the auditing logs of those files from the auditing logs of the rest of the files on the system.  I have found the code to create more event logs but how can I direct certain security logs to that newly created event log instead of the standard Security event log.

Thank you
Adam
0
SAIonline
Asked:
SAIonline
1 Solution
 
SunBowCommented:
I dunno. Which ones?
You can try to search registry for filename, and change each one.
You 'should' have option available through menu system to get it right, I doubt that is well available
For some, such as Security log for the Event viewer, a right click gets allowance to display properties
From there, see C:\WINDOWS\System32\config\SecEvent.Evt as name of file (default)
Mine is changeable but greyed out. Yours?
You might have to reboot to local, off-net, then login as administrator, often meaning physically present at KB

I advise to NOT try. Reasoning is that there are far too many updates required, where too many things can go wrong such as, those who write update code neglect that there are possibilities other than defaults, and they may either set all back ( a tug of war) or end up with some messages going nowhere (if not crashing systems)

>  only a select subset of users should be able to see those logs

Sometimes it helps to have users read them to help desk. Too rarely, no one ever checks the logs for resolving problems. Users can also be a form of check and balance, where too many installers can cause a problem yet deny that they ever touched the machines (remotely). My preference would be dealing with users, try denying them access to directory store using Windows Explorer (or similar tool).

Check Local Security Settings \ Local Policies \ User Rights Assignments
for items like
Managing auditing and security log
0
 
SAIonlineAuthor Commented:
SunBow
I am able to change where the default security entries are logged, but that doesn't get me to where I need to be.  On our file server there is a directory that only certain director and VP level users should be able to see.  We want to audit that directory but I am told that even our security team should not know what is in that directory.  That presents a problem because the security log will log the name of the file when someone attempts to gain (succefully or not) access to that file. The rest of the files should be (and are) audited normally by our security team.  I wanted to generate the logs for that directory and child objects to a different log file accessible by only those they deem fit.  Does that make more sense now?  I told them because of the nature of the directory that maybe it should be moved to a different server, but they wanted to try and leave it where it is for ease of use (VP's) if we can.  Any other ideas, even thrid party apps are on the table.  I need something that will only write events for a single directory to a seperate log of some kind, without disturbing the auditing already in place.  (Yes I know it may be futile)

Thank you
Adam
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now